openkylin
/
linux
mirror of https://gitee.com/openkylin/linux.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

libertas_tf: prevent underflow in process_cmdrequest() 

If recvlength is less than MESSAGE_HEADER_LEN (4) we would end up
corrupting memory.

Fixes: c305a19a0d ("libertas_tf: usb specific functions")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
This commit is contained in:
Dan Carpenter 2018-08-14 12:07:48 +03:00 committed by Kalle Valo
parent 62a25dc569
commit 3348ef6a6a
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
drivers/net/wireless/marvell/libertas_tf/if_usb.c
View File

@ -605,9 +605,10 @@ static inline void process_cmdrequest(int recvlength, uint8_t *recvbuff,
{
unsigned long flags;
if (recvlength > LBS_CMD_BUFFER_SIZE) {
if (recvlength < MESSAGE_HEADER_LEN ||
recvlength > LBS_CMD_BUFFER_SIZE) {
lbtf_deb_usbd(&cardp->udev->dev,
"The receive buffer is too large\n");
"The receive buffer is invalid: %d\n", recvlength);
kfree_skb(skb);
return;
}