]> asedeno.scripts.mit.edu Git - linux.git/commit
projects / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 144a12a) | patch
wil6210: fix length check in __wmi_send
authorLior David <qca_liord@qca.qualcomm.com>
Tue, 14 Nov 2017 13:25:37 +0000 (15:25 +0200)
committerKalle Valo <kvalo@qca.qualcomm.com>
Sat, 2 Dec 2017 14:18:28 +0000 (16:18 +0200)
commit26a6d5274865532502c682ff378ac8ebe2886238
tree8fd4f740718bf940405b6cd5c98b7cfb645608batree | snapshot
parent144a12a6d83f3ca34ddefce5dee4d502afd2fc5bcommit | diff
wil6210: fix length check in __wmi_send

The current length check:
sizeof(cmd) + len > r->entry_size
will allow very large values of len (> U16_MAX - sizeof(cmd))
and can cause a buffer overflow. Fix the check to cover this case.
In addition, ensure the mailbox entry_size is not too small,
since this can also bypass the above check.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
drivers/net/wireless/ath/wil6210/interrupt.c diff | blob | history
drivers/net/wireless/ath/wil6210/wmi.c diff | blob | history
local clone of linux.git