From: Andrei Otcheretianski Date: Sun, 30 Jan 2022 09:52:58 +0000 (+0200) Subject: iwlwifi: pcie: make sure iwl_rx_packet_payload_len() will not underflow X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=f1658dcb29f423fea394aaa974a8cf5d491c503c;p=linux.git iwlwifi: pcie: make sure iwl_rx_packet_payload_len() will not underflow If the device is malfunctioning and reports too short rx descriptor length, iwl_rx_packet_payload_len() will underflow, eventually resulting in accessing memory out of bounds and other bad things. Prevent this. Signed-off-by: Andrei Otcheretianski Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20220130115024.ea00b52c6f25.I8b79b14f1af8b6f2f579f97b397b9e005fe446b1@changeid Signed-off-by: Luca Coelho --- diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c index bda98c2eb0ad2..e4016c97d5abc 100644 --- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c +++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c @@ -1317,7 +1317,7 @@ static void iwl_pcie_rx_handle_rb(struct iwl_trans *trans, offset += ALIGN(len, FH_RSCSR_FRAME_ALIGN); /* check that what the device tells us made sense */ - if (offset > max_len) + if (len < sizeof(*pkt) || offset > max_len) break; trace_iwlwifi_dev_rx(trans->dev, trans, pkt, len);