git.baikalelectronics.ru Git - kernel.git/commit

]> git.baikalelectronics.ru Git - kernel.git/commit

author	Lior David <qca_liord@qca.qualcomm.com>
	Tue, 14 Nov 2017 13:25:37 +0000 (15:25 +0200)
committer	Kalle Valo <kvalo@qca.qualcomm.com>
	Sat, 2 Dec 2017 14:18:28 +0000 (16:18 +0200)
commit	dbea0d3e2f7b14edcd9dc601833f2b1e8b73539b
tree	8fd4f740718bf940405b6cd5c98b7cfb645608ba	tree \| snapshot
parent	9f6575a2cd93e583ff5790aa82b4a737e7e62a88	commit \| diff

wil6210: fix length check in __wmi_send

The current length check:
sizeof(cmd) + len > r->entry_size
will allow very large values of len (> U16_MAX - sizeof(cmd))
and can cause a buffer overflow. Fix the check to cover this case.
In addition, ensure the mailbox entry_size is not too small,
since this can also bypass the above check.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>

drivers/net/wireless/ath/wil6210/interrupt.c		diff \| blob \| history
drivers/net/wireless/ath/wil6210/wmi.c		diff \| blob \| history

Linux Kernel Source Tree.

RSS Atom