iwlwifi: pnvm: read EFI data only if long enough

[ Upstream commit e864a77f51d0d8113b49cf7d030bc9dc911c8176 ]

If the data we get from EFI is not even long enough for
the package struct we expect then ignore it entirely.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Fixes: a1a6a4cf49ec ("iwlwifi: pnvm: implement reading PNVM from UEFI")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/iwlwifi.20211016114029.33feba783518.I54a5cf33975d0330792b3d208b225d479e168f32@changeid
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/net/wireless/intel/iwlwifi/fw/pnvm.c b/drivers/net/wireless/intel/iwlwifi/fw/pnvm.c
index 512c512eefc71b34d8dc6f73881697f6f3046126..24de6e5eb6a4c94a06c22e8f5d409b0d670bbb58 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/fw/pnvm.c
+++ b/drivers/net/wireless/intel/iwlwifi/fw/pnvm.c
@@ -284,9 +284,13 @@ int iwl_pnvm_load(struct iwl_trans *trans,
        /* First attempt to get the PNVM from BIOS */
        package = iwl_uefi_get_pnvm(trans, &len);
        if (!IS_ERR_OR_NULL(package)) {
-               /* we need only the data */
-               len -= sizeof(*package);
-               data = kmemdup(package->data, len, GFP_KERNEL);
+               if (len >= sizeof(*package)) {
+                       /* we need only the data */
+                       len -= sizeof(*package);
+                       data = kmemdup(package->data, len, GFP_KERNEL);
+               } else {
+                       data = NULL;
+               }
 
                /* free package regardless of whether kmemdup succeeded */
                kfree(package);