mac80211: brcmfmac: backport important changes from the 4.14

[openwrt/openwrt.git] / package / kernel / mac80211 / patches / 326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch

From dd2349121bb1b8ff688c3ca6a2a0bea9d8c142ca Mon Sep 17 00:00:00 2001
From: Kevin Cernekee <cernekee@chromium.org>
Date: Sat, 16 Sep 2017 21:08:24 -0700
Subject: [PATCH] brcmfmac: Add check for short event packets

The length of the data in the received skb is currently passed into
brcmf_fweh_process_event() as packet_len, but this value is not checked.
event_packet should be followed by DATALEN bytes of additional event
data.  Ensure that the received packet actually contains at least
DATALEN bytes of additional data, to avoid copying uninitialized memory
into event->data.

Cc: <stable@vger.kernel.org> # v3.8
Suggested-by: Mattias Nissler <mnissler@chromium.org>
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
@@ -429,7 +429,8 @@ void brcmf_fweh_process_event(struct brc
        if (code != BRCMF_E_IF && !fweh->evt_handler[code])
                return;
 
-       if (datalen > BRCMF_DCMD_MAXLEN)
+       if (datalen > BRCMF_DCMD_MAXLEN ||
+           datalen + sizeof(*event_packet) > packet_len)
                return;
 
        if (in_interrupt())