From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Date: Sun, 30 Jan 2022 09:52:58 +0000 (+0200)
Subject: iwlwifi: pcie: make sure iwl_rx_packet_payload_len() will not underflow
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=f1658dcb29f423fea394aaa974a8cf5d491c503c;p=linux.git

iwlwifi: pcie: make sure iwl_rx_packet_payload_len() will not underflow

If the device is malfunctioning and reports too short rx descriptor
length, iwl_rx_packet_payload_len() will underflow, eventually resulting
in accessing memory out of bounds and other bad things. Prevent this.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/iwlwifi.20220130115024.ea00b52c6f25.I8b79b14f1af8b6f2f579f97b397b9e005fe446b1@changeid
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
---

diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
index bda98c2eb0ad2..e4016c97d5abc 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
@@ -1317,7 +1317,7 @@ static void iwl_pcie_rx_handle_rb(struct iwl_trans *trans,
 		offset += ALIGN(len, FH_RSCSR_FRAME_ALIGN);
 
 		/* check that what the device tells us made sense */
-		if (offset > max_len)
+		if (len < sizeof(*pkt) || offset > max_len)
 			break;
 
 		trace_iwlwifi_dev_rx(trans->dev, trans, pkt, len);