Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp3736068ybg;
        Sun, 20 Oct 2019 20:42:25 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwApSU9Ud2YlDGOGClO2ydLL5UPgnWK5bMp1GdBVkscwo68ltpl1MJNAEGc5CXtYgW2wMX2
X-Received: by 2002:a17:906:4813:: with SMTP id w19mr5101515ejq.258.1571629345622;
        Sun, 20 Oct 2019 20:42:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1571629345; cv=none;
        d=google.com; s=arc-20160816;
        b=k2ufkrCKkg9qsfgX23YP6hxHYJwQbZgq456uJCh5X9nxU1Q0WeOHmpAlA0urztsYuA
         xfnxcp/DDs+7qvrB60HAtaVtK07Nx8xacoFtcGQoSnmDsmFZE68egxDF2tpZcdxBks/b
         +Hsd9yas7wt0KQxhYWbQu+De2x1/4we9p31bSwMvXyQURBSrsHa1exKeF61rkTtpWPc1
         DuoZRfYoBKx3nwHfJKJEQiF6BB0gWJ9loebWuN7aBcGhPw5bZRT8VRRaUPBp4joU5D2C
         LCfAcPJicjS+P/DF/XVDkjLdewcB2Sd93MJpL7idSIRv6dskgKZx5MDDc6IfREV385Zr
         oGWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :authenticated-by;
        bh=sWqZ2Tsc1kpNzwueeJMU7Ov/2Eobj9zixLIcRwtmUzw=;
        b=GYHjOxr/eyvD/JhaBbIkQ1GrETP867c6ViOcREI4+OxVxRtM2dNsmLKfbpDYbuGUz6
         6UcKNhpeGB6y7/GrEjd6rUZNLifDtgrGTVzbWfhlYRT4zzJXyObXtgMM28PDSAmfO1vA
         IqaS1SdcFGKrg2NXF6cezQLNqBEvJgLVJU0vZfAYjRWGtGPysuty+HRi2I8oOy9fXE59
         4DYMLNjAvCedLNFHoBJ0WyxiTX03439i+9W370QktogHImgd025+Ba/E4WP9ugheIyXC
         h4TjxOFdkvetFz4Rq1W59prwgNqjPgw56CtaHAD1ludq8ZjKXnYxWyczQ9D7wDY+9SEa
         +dhg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u22si7513966ejm.363.2019.10.20.20.42.02;
        Sun, 20 Oct 2019 20:42:25 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727127AbfJUDle (ORCPT <rfc822;vinadhy@gmail.com> + 99 others);
        Sun, 20 Oct 2019 23:41:34 -0400
Received: from rtits2.realtek.com ([211.75.126.72]:58986 "EHLO
        rtits2.realtek.com.tw" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727105AbfJUDld (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 20 Oct 2019 23:41:33 -0400
Authenticated-By: 
X-SpamFilter-By: BOX Solutions SpamTrap 5.62 with qID x9L3fUoi014787, This message is accepted by code: ctloc85258
Received: from mail.realtek.com (RTITCAS11.realtek.com.tw[172.21.6.12])
        by rtits2.realtek.com.tw (8.15.2/2.57/5.78) with ESMTPS id x9L3fUoi014787
        (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Mon, 21 Oct 2019 11:41:30 +0800
Received: from fc30.localdomain (172.21.177.156) by RTITCAS11.realtek.com.tw
 (172.21.6.12) with Microsoft SMTP Server id 14.3.468.0; Mon, 21 Oct 2019
 11:41:28 +0800
From:   Hayes Wang <hayeswang@realtek.com>
To:     <netdev@vger.kernel.org>
CC:     <nic_swsd@realtek.com>, <linux-kernel@vger.kernel.org>,
        <pmalani@chromium.org>, <grundler@chromium.org>,
        Hayes Wang <hayeswang@realtek.com>
Subject: [PATCH net-next 2/4] r8152: add checking fw_offset field of struct fw_mac
Date:   Mon, 21 Oct 2019 11:41:11 +0800
Message-ID: <1394712342-15778-332-Taiwan-albertk@realtek.com>
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <1394712342-15778-330-Taiwan-albertk@realtek.com>
References: <1394712342-15778-330-Taiwan-albertk@realtek.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type:   text/plain; charset=US-ASCII
X-Originating-IP: [172.21.177.156]
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Make sure @fw_offset field of struct fw_mac is more than the size
of struct fw_mac.

Signed-off-by: Hayes Wang <hayeswang@realtek.com>
---
 drivers/net/usb/r8152.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index 55a7674a0c06..090ddd5fb973 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -3399,7 +3399,7 @@ static void rtl_clear_bp(struct r8152 *tp, u16 type)
 
 static bool rtl8152_is_fw_mac_ok(struct r8152 *tp, struct fw_mac *mac)
 {
-	u16 fw_reg, bp_ba_addr, bp_en_addr, bp_start;
+	u16 fw_reg, bp_ba_addr, bp_en_addr, bp_start, fw_offset;
 	bool rc = false;
 	u32 length, type;
 	int i, max_bp;
@@ -3461,13 +3461,19 @@ static bool rtl8152_is_fw_mac_ok(struct r8152 *tp, struct fw_mac *mac)
 		goto out;
 	}
 
+	fw_offset = __le16_to_cpu(mac->fw_offset);
+	if (fw_offset < sizeof(*mac)) {
+		dev_err(&tp->intf->dev, "fw_offset too small\n");
+		goto out;
+	}
+
 	length = __le32_to_cpu(mac->blk_hdr.length);
-	if (length < __le16_to_cpu(mac->fw_offset)) {
+	if (length < fw_offset) {
 		dev_err(&tp->intf->dev, "invalid fw_offset\n");
 		goto out;
 	}
 
-	length -= __le16_to_cpu(mac->fw_offset);
+	length -= fw_offset;
 	if (length < 4 || (length & 3)) {
 		dev_err(&tp->intf->dev, "invalid block length\n");
 		goto out;
-- 
2.21.0