]> git.baikalelectronics.ru Git - kernel.git/commit
wil6210: fix length check in __wmi_send
authorLior David <qca_liord@qca.qualcomm.com>
Tue, 14 Nov 2017 13:25:37 +0000 (15:25 +0200)
committerKalle Valo <kvalo@qca.qualcomm.com>
Sat, 2 Dec 2017 14:18:28 +0000 (16:18 +0200)
commitdbea0d3e2f7b14edcd9dc601833f2b1e8b73539b
tree8fd4f740718bf940405b6cd5c98b7cfb645608ba
parent9f6575a2cd93e583ff5790aa82b4a737e7e62a88
wil6210: fix length check in __wmi_send

The current length check:
sizeof(cmd) + len > r->entry_size
will allow very large values of len (> U16_MAX - sizeof(cmd))
and can cause a buffer overflow. Fix the check to cover this case.
In addition, ensure the mailbox entry_size is not too small,
since this can also bypass the above check.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
drivers/net/wireless/ath/wil6210/interrupt.c
drivers/net/wireless/ath/wil6210/wmi.c