diff options
author | Johannes Berg <johannes.berg@intel.com> | 2021-01-17 13:10:28 +0200 |
---|---|---|
committer | Luca Coelho <luciano.coelho@intel.com> | 2021-02-05 11:52:24 +0200 |
commit | afc857bc2a71905b23bbe1894dbadb2915a3ac4d (patch) | |
tree | 7a0e69dba312c8a70a4c03e7086ede0077abb73a /drivers/net/wireless/intel/iwlwifi/mvm/tt.c | |
parent | iwl4965: do not process non-QOS frames on txq->sched_retry path (diff) | |
download | linux-dev-afc857bc2a71905b23bbe1894dbadb2915a3ac4d.tar.xz linux-dev-afc857bc2a71905b23bbe1894dbadb2915a3ac4d.zip |
iwlwifi: mvm: add notification size checks
We shouldn't trust the firmware with the sizes (or contents)
of notifications, accessing too much data could cause page
faults if the data doesn't fit into the allocated space. This
applies more on older NICs where multiple notifications can
be in a single RX buffer.
Add a general framework for checking a minimum size of any
notification in the RX handlers and use it for most. Some RX
handlers were already checking and I've moved the checks,
some more complex checks I left and made them _NO_SIZE for
the RX handlers.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/iwlwifi.20210117130510.3e155d5e5f90.I2121fa4ac7cd7eb98970d84b793796646afa3eed@changeid
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Diffstat (limited to 'drivers/net/wireless/intel/iwlwifi/mvm/tt.c')
-rw-r--r-- | drivers/net/wireless/intel/iwlwifi/mvm/tt.c | 6 |
1 files changed, 0 insertions, 6 deletions
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tt.c b/drivers/net/wireless/intel/iwlwifi/mvm/tt.c index 507625f96dd7..9dfe0381cbeb 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/tt.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/tt.c @@ -156,12 +156,6 @@ void iwl_mvm_ct_kill_notif(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb) { struct iwl_rx_packet *pkt = rxb_addr(rxb); struct ct_kill_notif *notif; - int len = iwl_rx_packet_payload_len(pkt); - - if (WARN_ON_ONCE(len != sizeof(*notif))) { - IWL_ERR(mvm, "Invalid CT_KILL_NOTIFICATION\n"); - return; - } notif = (struct ct_kill_notif *)pkt->data; IWL_DEBUG_TEMP(mvm, "CT Kill notification temperature = %d\n", |