diff mbox series

[04/12] iwlwifi: pcie: make sure iwl_rx_packet_payload_len() will not underflow

Message ID iwlwifi.20220130115024.ea00b52c6f25.I8b79b14f1af8b6f2f579f97b397b9e005fe446b1@changeid
State New
Headers show
Series iwlwifi: updates intended for v5.18 2022-01-30 | expand

Commit Message

Luca Coelho Jan. 30, 2022, 9:52 a.m. UTC 
From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>

If the device is malfunctioning and reports too short rx descriptor
length, iwl_rx_packet_payload_len() will underflow, eventually resulting
in accessing memory out of bounds and other bad things. Prevent this.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
---
 drivers/net/wireless/intel/iwlwifi/pcie/rx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
index bda98c2eb0ad..e4016c97d5ab 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
@@ -1317,7 +1317,7 @@  static void iwl_pcie_rx_handle_rb(struct iwl_trans *trans,
 		offset += ALIGN(len, FH_RSCSR_FRAME_ALIGN);
 
 		/* check that what the device tells us made sense */
-		if (offset > max_len)
+		if (len < sizeof(*pkt) || offset > max_len)
 			break;
 
 		trace_iwlwifi_dev_rx(trans->dev, trans, pkt, len);