On Fri, Sep 8, 2017 at 9:13 PM, Kevin Cernekee <cerne...@chromium.org> wrote: > > The length of the data in the received skb is currently passed into > brcmf_fweh_process_event() as packet_len, but this value is not checked. > event_packet should be followed by DATALEN bytes of additional event > data. Ensure that the received packet actually contains at least > DATALEN bytes of additional data, to avoid copying uninitialized memory > into event->data. > > Suggested-by: Mattias Nissler <mniss...@chromium.org> > Signed-off-by: Kevin Cernekee <cerne...@chromium.org> > --- > drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c > b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c > index 5aabdc9ed7e0..4cad1f0d2a82 100644 > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c > @@ -429,7 +429,8 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr, > if (code != BRCMF_E_IF && !fweh->evt_handler[code]) > return; > > - if (datalen > BRCMF_DCMD_MAXLEN) > + if (datalen > BRCMF_DCMD_MAXLEN || > + datalen + sizeof(*event_packet) < packet_len)
Shouldn't this check be larger-than, i.e. we need the packet to be at least sizeof(*event_packet) + its payload size? > return; > > if (in_interrupt()) > -- > 2.14.1.581.gf28d330327-goog >
