On 08-09-17 21:13, Kevin Cernekee wrote:
The debug print that dumps out newly-dequeued events uses emsg.datalen before that field has been validated, which may lead to an out-of-bounds read. Assume that any properly-formed event message has a valid length field, and move the debug print below the length check.
The length check is a bit redundant as event->datalen is assigned to emsg.datalen upon queuing the event which also does validation. So I would propose to just remove the length check here.
Regards, Arend
Suggested-by: Mattias Nissler <mniss...@chromium.org> Signed-off-by: Kevin Cernekee <cerne...@chromium.org> --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)
