Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 059f3ff19afa3aa3112492e234382f097c27b0fa
commit059f3ff19afa3aa3112492e234382f097c27b0fa[log] [tgz]
authorLior David <qca_liord@qca.qualcomm.com>Tue Apr 21 13:40:13 2020 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Fri Apr 24 07:59:09 2020 +0200
tree80ec1a230587349fc0fadc8194b25c5bad0deb99
parentb0a7e39e8a53f474342e727e1edbdb4bd0952f4f [diff]
wil6210: fix length check in __wmi_send

[ Upstream commit 26a6d5274865532502c682ff378ac8ebe2886238 ]

The current length check:
sizeof(cmd) + len > r->entry_size
will allow very large values of len (> U16_MAX - sizeof(cmd))
and can cause a buffer overflow. Fix the check to cover this case.
In addition, ensure the mailbox entry_size is not too small,
since this can also bypass the above check.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2 files changed
tree: 80ec1a230587349fc0fadc8194b25c5bad0deb99
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. COPYING
  29. CREDITS
  30. Kbuild
  31. Kconfig
  32. MAINTAINERS
  33. Makefile
  34. README
  35. REPORTING-BUGS