git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Lior David <qca_liord@qca.qualcomm.com>
	Tue, 21 Apr 2020 12:40:13 +0000 (13:40 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 24 Apr 2020 05:59:09 +0000 (07:59 +0200)
commit	059f3ff19afa3aa3112492e234382f097c27b0fa
tree	80ec1a230587349fc0fadc8194b25c5bad0deb99	tree
parent	b0a7e39e8a53f474342e727e1edbdb4bd0952f4f	commit \| diff

wil6210: fix length check in __wmi_send

[ Upstream commit 26a6d5274865532502c682ff378ac8ebe2886238 ]

The current length check:
sizeof(cmd) + len > r->entry_size
will allow very large values of len (> U16_MAX - sizeof(cmd))
and can cause a buffer overflow. Fix the check to cover this case.
In addition, ensure the mailbox entry_size is not too small,
since this can also bypass the above check.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/net/wireless/ath/wil6210/interrupt.c		diff \| blob \| blame \| history
drivers/net/wireless/ath/wil6210/wmi.c		diff \| blob \| blame \| history