From: Luca Coelho <luca@coelho.fi>
To: kvalo@codeaurora.org
Cc: linux-wireless@vger.kernel.org
Subject: [PATCH v2 47/47] iwlwifi: mvm: validate notification size when waiting
Date: Wed, 9 Dec 2020 23:16:51 +0200 [thread overview]
Message-ID: <iwlwifi.20201209231352.b29573bcba39.I4b7e72824d06dc0719a40021d933e29edfc14713@changeid> (raw)
In-Reply-To: <20201209211651.968276-1-luca@coelho.fi>
From: Johannes Berg <johannes.berg@intel.com>
When waiting for a notification and then processing it,
we also need to check the size of the data before we use
it. Most places do that already, but fix the remaining
ones to do it as well.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
---
drivers/net/wireless/intel/iwlwifi/iwl-phy-db.c | 16 +++++++++++++---
drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 10 ++++++++++
2 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-phy-db.c b/drivers/net/wireless/intel/iwlwifi/iwl-phy-db.c
index 312ae841f112..bad5659840a2 100644
--- a/drivers/net/wireless/intel/iwlwifi/iwl-phy-db.c
+++ b/drivers/net/wireless/intel/iwlwifi/iwl-phy-db.c
@@ -1,6 +1,6 @@
// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
/*
- * Copyright (C) 2005-2014 Intel Corporation
+ * Copyright (C) 2005-2014, 2020 Intel Corporation
* Copyright (C) 2016 Intel Deutschland GmbH
*/
#include <linux/slab.h>
@@ -147,13 +147,23 @@ IWL_EXPORT_SYMBOL(iwl_phy_db_free);
int iwl_phy_db_set_section(struct iwl_phy_db *phy_db,
struct iwl_rx_packet *pkt)
{
+ unsigned int pkt_len = iwl_rx_packet_payload_len(pkt);
struct iwl_calib_res_notif_phy_db *phy_db_notif =
(struct iwl_calib_res_notif_phy_db *)pkt->data;
- enum iwl_phy_db_section_type type = le16_to_cpu(phy_db_notif->type);
- u16 size = le16_to_cpu(phy_db_notif->length);
+ enum iwl_phy_db_section_type type;
+ u16 size;
struct iwl_phy_db_entry *entry;
u16 chg_id = 0;
+ if (pkt_len < sizeof(*phy_db_notif))
+ return -EINVAL;
+
+ type = le16_to_cpu(phy_db_notif->type);
+ size = le16_to_cpu(phy_db_notif->length);
+
+ if (pkt_len < sizeof(*phy_db_notif) + size)
+ return -EINVAL;
+
if (!phy_db)
return -EINVAL;
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
index 8f15f68ffc70..0637eb1cff4e 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
@@ -160,6 +160,7 @@ void iwl_mvm_mfu_assert_dump_notif(struct iwl_mvm *mvm,
static bool iwl_alive_fn(struct iwl_notif_wait_data *notif_wait,
struct iwl_rx_packet *pkt, void *data)
{
+ unsigned int pkt_len = iwl_rx_packet_payload_len(pkt);
struct iwl_mvm *mvm =
container_of(notif_wait, struct iwl_mvm, notif_wait);
struct iwl_mvm_alive_data *alive_data = data;
@@ -177,6 +178,9 @@ static bool iwl_alive_fn(struct iwl_notif_wait_data *notif_wait,
UCODE_ALIVE_NTFY, 0) == 5) {
struct iwl_alive_ntf_v5 *palive;
+ if (pkt_len < sizeof(*palive))
+ return false;
+
palive = (void *)pkt->data;
umac = &palive->umac_data;
lmac1 = &palive->lmac_data[0];
@@ -194,6 +198,9 @@ static bool iwl_alive_fn(struct iwl_notif_wait_data *notif_wait,
} else if (iwl_rx_packet_payload_len(pkt) == sizeof(struct iwl_alive_ntf_v4)) {
struct iwl_alive_ntf_v4 *palive;
+ if (pkt_len < sizeof(*palive))
+ return false;
+
palive = (void *)pkt->data;
umac = &palive->umac_data;
lmac1 = &palive->lmac_data[0];
@@ -203,6 +210,9 @@ static bool iwl_alive_fn(struct iwl_notif_wait_data *notif_wait,
sizeof(struct iwl_alive_ntf_v3)) {
struct iwl_alive_ntf_v3 *palive3;
+ if (pkt_len < sizeof(*palive3))
+ return false;
+
palive3 = (void *)pkt->data;
umac = &palive3->umac_data;
lmac1 = &palive3->lmac_data;
--
2.29.2
prev parent reply other threads:[~2020-12-09 21:39 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-09 21:16 [PATCH v2 00/47] iwlwifi: final patches for v5.11 2020-12-09 Luca Coelho
2020-12-09 21:16 ` [PATCH v2 01/47] iwlwifi: remove all queue resources before free Luca Coelho
2020-12-09 22:11 ` Luca Coelho
2020-12-09 21:16 ` [PATCH v2 02/47] iwlwifi: yoyo: add the ability to dump phy periphery Luca Coelho
2020-12-09 21:16 ` [PATCH v2 03/47] iwlwifi: yoyo: align the write pointer to DWs Luca Coelho
2020-12-09 21:16 ` [PATCH v2 04/47] iwlwifi: mvm: fix sar profile printing issue Luca Coelho
2020-12-09 21:16 ` [PATCH v2 05/47] iwlwifi: move reclaim flows to the queue file Luca Coelho
2020-12-09 21:16 ` [PATCH v2 06/47] iwlwifi: d3: do not send the WOWLAN_CONFIGURATION command for netdetect Luca Coelho
2020-12-09 21:16 ` [PATCH v2 07/47] iwlwifi: update MAINTAINERS entry Luca Coelho
2020-12-09 21:16 ` [PATCH v2 08/47] iwlwifi: mvm: Init error table memory to zero Luca Coelho
2020-12-09 21:16 ` [PATCH v2 09/47] iwlwifi: mvm: remove the read_nvm from iwl_run_init_mvm_ucode Luca Coelho
2020-12-09 21:16 ` [PATCH v2 10/47] iwlwifi: pcie: remove obsolete pre-release support code Luca Coelho
2020-12-09 21:16 ` [PATCH v2 11/47] iwlwifi: copy iwl_he_capa for modifications Luca Coelho
2020-12-09 21:16 ` [PATCH v2 12/47] iwlwifi: mvm: add support for 6GHz Luca Coelho
2020-12-09 22:06 ` [PATCH v3 34/47] " Luca Coelho
2020-12-09 22:12 ` Luca Coelho
2020-12-09 21:16 ` [PATCH v2 13/47] iwlwifi: enable sending/setting debug host event Luca Coelho
2020-12-09 22:15 ` Luca Coelho
2020-12-09 21:16 ` [PATCH v2 14/47] iwlwifi: avoid endless HW errors at assert time Luca Coelho
2020-12-09 21:16 ` [PATCH v2 15/47] iwlwifi: mvm: remove the read_nvm from iwl_run_unified_mvm_ucode Luca Coelho
2020-12-09 21:16 ` [PATCH v2 16/47] iwlwifi: follow the new inclusive terminology Luca Coelho
2020-12-09 21:16 ` [PATCH v2 17/47] iwlwifi: fix typo in comment Luca Coelho
2020-12-09 21:16 ` [PATCH v2 18/47] iwlwifi: sort out the NVM offsets Luca Coelho
2020-12-09 21:16 ` [PATCH v2 19/47] iwlwifi: mvm: iterate active stations when updating statistics Luca Coelho
2020-12-09 21:16 ` [PATCH v2 20/47] iwlwifi: validate MPDU length against notification length Luca Coelho
2020-12-09 21:16 ` [PATCH v2 21/47] iwlwifi: pcie: validate RX descriptor length Luca Coelho
2020-12-09 21:16 ` [PATCH v2 22/47] iwlwifi: remove sw_csum_tx Luca Coelho
2020-12-09 21:16 ` [PATCH v2 23/47] iwlwifi: mvm: clear up iwl_mvm_notify_rx_queue() argument type Luca Coelho
2020-12-09 21:16 ` [PATCH v2 24/47] iwlwifi: mvm: move iwl_mvm_stop_device() out of line Luca Coelho
2020-12-09 21:16 ` [PATCH v2 25/47] iwlwifi: pcie: change 12k A-MSDU config to use 16k buffers Luca Coelho
2020-12-09 21:16 ` [PATCH v2 26/47] iwlwifi: mvm: fix 22000 series driver NMI Luca Coelho
2020-12-09 21:16 ` [PATCH v2 27/47] iwlwifi: mvm: do more useful queue sync accounting Luca Coelho
2020-12-09 21:16 ` [PATCH v2 28/47] iwlwifi: mvm: clean up scan state on failure Luca Coelho
2020-12-09 21:16 ` [PATCH v2 29/47] iwlwifi: pcie: remove MSIX_HW_INT_CAUSES_REG_IML handling Luca Coelho
2020-12-09 21:16 ` [PATCH v2 30/47] iwlwifi: fw: file: fix documentation for SAR flag Luca Coelho
2020-12-09 21:16 ` [PATCH v2 31/47] iwlwifi: pcie: remove unnecessary setting of inta_mask Luca Coelho
2020-12-09 21:16 ` [PATCH v2 32/47] iwlwifi: trans: consider firmware dead after errors Luca Coelho
2020-12-09 21:16 ` [PATCH v2 33/47] iwlwifi: dbg-tlv: fix old length in is_trig_data_contained() Luca Coelho
2020-12-09 21:16 ` [PATCH v2 34/47] iwlwifi: use SPDX tags Luca Coelho
2020-12-09 22:06 ` [PATCH v3 " Luca Coelho
2020-12-09 22:15 ` Luca Coelho
2020-12-09 21:16 ` [PATCH v2 35/47] iwlwifi: pcie: clean up some rx code Luca Coelho
2020-12-09 22:16 ` Luca Coelho
2020-12-09 21:16 ` [PATCH v2 36/47] iwlwifi: mvm: validate firmware sync response size Luca Coelho
2020-12-09 21:16 ` [PATCH v2 37/47] iwlwifi: mvm: fix a race in CSA that caused assert 0x3420 Luca Coelho
2020-12-09 21:16 ` [PATCH v2 38/47] iwlwifi: add an extra firmware state in the transport Luca Coelho
2020-12-09 21:16 ` [PATCH v2 39/47] iwlwifi: support firmware reset handshake Luca Coelho
2020-12-09 21:16 ` [PATCH v2 40/47] iwlwifi: mvm: disconnect if channel switch delay is too long Luca Coelho
2020-12-09 21:16 ` [PATCH v2 41/47] iwlwifi: Add a new card for MA family Luca Coelho
2020-12-09 21:16 ` [PATCH v2 42/47] iwlwifi: tighten RX MPDU bounds checks Luca Coelho
2020-12-09 21:16 ` [PATCH v2 43/47] iwlwifi: mvm: hook up missing RX handlers Luca Coelho
2020-12-09 21:16 ` [PATCH v2 44/47] iwlwifi: mvm: add size checks for range response notification Luca Coelho
2020-12-09 21:16 ` [PATCH v2 45/47] iwlwifi: mvm: check that statistics TLV version match struct version Luca Coelho
2020-12-09 21:16 ` [PATCH v2 46/47] iwlwifi: mvm: purge the BSS table upon firmware load Luca Coelho
2020-12-09 21:16 ` Luca Coelho [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=iwlwifi.20201209231352.b29573bcba39.I4b7e72824d06dc0719a40021d933e29edfc14713@changeid \
--to=luca@coelho.fi \
--cc=kvalo@codeaurora.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).