1 |
From ace236a39292c28c6fbf01cf91af4060d703da12 Mon Sep 17 00:00:00 2001 |
2 |
From: Dan Carpenter <dan.carpenter@oracle.com> |
3 |
Date: Tue, 14 Aug 2018 12:07:48 +0300 |
4 |
Subject: [PATCH 074/145] libertas_tf: prevent underflow in |
5 |
process_cmdrequest() |
6 |
|
7 |
[ Upstream commit 3348ef6a6a126706d6a73ed40c18d8033df72783 ] |
8 |
|
9 |
If recvlength is less than MESSAGE_HEADER_LEN (4) we would end up |
10 |
corrupting memory. |
11 |
|
12 |
Fixes: c305a19a0d0a ("libertas_tf: usb specific functions") |
13 |
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
14 |
Signed-off-by: Kalle Valo <kvalo@codeaurora.org> |
15 |
Signed-off-by: Sasha Levin <sashal@kernel.org> |
16 |
--- |
17 |
drivers/net/wireless/marvell/libertas_tf/if_usb.c | 5 +++-- |
18 |
1 file changed, 3 insertions(+), 2 deletions(-) |
19 |
|
20 |
diff --git a/drivers/net/wireless/marvell/libertas_tf/if_usb.c b/drivers/net/wireless/marvell/libertas_tf/if_usb.c |
21 |
index e92fc5001171..789337ea676a 100644 |
22 |
--- a/drivers/net/wireless/marvell/libertas_tf/if_usb.c |
23 |
+++ b/drivers/net/wireless/marvell/libertas_tf/if_usb.c |
24 |
@@ -605,9 +605,10 @@ static inline void process_cmdrequest(int recvlength, uint8_t *recvbuff, |
25 |
{ |
26 |
unsigned long flags; |
27 |
|
28 |
- if (recvlength > LBS_CMD_BUFFER_SIZE) { |
29 |
+ if (recvlength < MESSAGE_HEADER_LEN || |
30 |
+ recvlength > LBS_CMD_BUFFER_SIZE) { |
31 |
lbtf_deb_usbd(&cardp->udev->dev, |
32 |
- "The receive buffer is too large\n"); |
33 |
+ "The receive buffer is invalid: %d\n", recvlength); |
34 |
kfree_skb(skb); |
35 |
return; |
36 |
} |
37 |
-- |
38 |
2.19.1 |
39 |
|