Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp173687imd; Wed, 31 Oct 2018 16:48:22 -0700 (PDT) X-Google-Smtp-Source: AJdET5dAeabUB3jlwIJdWKY7ug6cBDY+o4OUdIaaoQs2YsqaCmXACDr8UwJl8Rkjgez7qAJcLXsG X-Received: by 2002:a17:902:f097:: with SMTP id go23mr5246066plb.328.1541029702810; Wed, 31 Oct 2018 16:48:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541029702; cv=none; d=google.com; s=arc-20160816; b=odBTHRBh65qBRbuu++oUF6AKy504a1HZpbpILgwcp2KbBkz/YTkiDWlA8egepswi2r KlywfP9Ja/yFPWAI6ZpPRjp/TFFuYz1wx4kTUJcCgv1U1J4zN237ZcgoWygjoeHjQNlF ypyQDastlsEa+ONP77hqcB5H6wYeR4o8HZfP6BQV8mueof7NEGeZpSvB3Af1UO8vL2iR ILvR+519WAqOL7VogCHd6XRV0GhormTomibSLFfjC827pSobqO2RDX406fLnINe7bKKE yQ+d/oXFYQ0UBjX2OE0Sru0Z/nnkEiqWv2Fdmd1cWlWB/63T1fpuzYk2AYueOHCsE+QL 3vwQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=idJ2nG7vfqCJZUFU5dGoR0IjY+ZIVcs/ICiyW7vEMtU=; b=ESt/IcHP4+IgHNBPqwnuCdNF1WclkmMmHviboXd35ZTrw2ir+aWN4wIVnti354WTTW QE3frAMCP5VqM03BbKNt5oTWDEmTMR+7LmyFTSNEbtjTYv3+UX79MUzKK2k+6+p+reTK cZxK+nh3fFZdjC4h2JsctwoFHPRrbpv+baxKrA/esDaKUorVtcgQRNZ6RpNhio6hCYbX r92TySh2ZzDRAlZAsX3yE4VwpzE1BtBt4sgf0fm0AiwyLXV5cVaQSVg5IeBjVydJDCJF z7+js/+kJBJShB/ywnOddHkRC5EVgONip6Vi75Vjk8fz0fx830SHT7Rl7xoY6HPLkzgJ Dm+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1+pUqLc7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g92-v6si29212289plg.354.2018.10.31.16.48.08; Wed, 31 Oct 2018 16:48:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1+pUqLc7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728560AbeKAIHD (ORCPT + 99 others); Thu, 1 Nov 2018 04:07:03 -0400 Received: from mail.kernel.org ([198.145.29.99]:54430 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728512AbeKAIHB (ORCPT ); Thu, 1 Nov 2018 04:07:01 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E071520821; Wed, 31 Oct 2018 23:06:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541027211; bh=Iq7wlvSUDkCpAU+LDyoCb3Q+Bwtn72s/fPFvJCGEZNg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1+pUqLc7rWURkCaNQhGsb6IXnimqWjCfWcIbGNB25ohSTZhCZd06JccAmE5/FI2Ky VrgheAM5yAadYafYu3LXmb3a2mP0sYntS5fPuGp+C7ZjenkdLslGU7/fpXr+KvwA83 d3SUPL7+Lezd357Nz4oPK5b1fjNAjhxH4V3f0h1E= From: Sasha Levin To: stable@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Dan Carpenter , Kalle Valo , Sasha Levin Subject: [PATCH AUTOSEL 4.19 075/146] libertas_tf: prevent underflow in process_cmdrequest() Date: Wed, 31 Oct 2018 19:04:30 -0400 Message-Id: <20181031230541.28822-75-sashal@kernel.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181031230541.28822-1-sashal@kernel.org> References: <20181031230541.28822-1-sashal@kernel.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter [ Upstream commit 3348ef6a6a126706d6a73ed40c18d8033df72783 ] If recvlength is less than MESSAGE_HEADER_LEN (4) we would end up corrupting memory. Fixes: c305a19a0d0a ("libertas_tf: usb specific functions") Signed-off-by: Dan Carpenter Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin --- drivers/net/wireless/marvell/libertas_tf/if_usb.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/marvell/libertas_tf/if_usb.c b/drivers/net/wireless/marvell/libertas_tf/if_usb.c index e92fc5001171..789337ea676a 100644 --- a/drivers/net/wireless/marvell/libertas_tf/if_usb.c +++ b/drivers/net/wireless/marvell/libertas_tf/if_usb.c @@ -605,9 +605,10 @@ static inline void process_cmdrequest(int recvlength, uint8_t *recvbuff, { unsigned long flags; - if (recvlength > LBS_CMD_BUFFER_SIZE) { + if (recvlength < MESSAGE_HEADER_LEN || + recvlength > LBS_CMD_BUFFER_SIZE) { lbtf_deb_usbd(&cardp->udev->dev, - "The receive buffer is too large\n"); + "The receive buffer is invalid: %d\n", recvlength); kfree_skb(skb); return; } -- 2.17.1