diff options
| author |   stsp <stsp@openbsd.org> | 2017-07-22 16:48:58 +0000 |
|---|---|---|
| committer | stsp <stsp@openbsd.org> | 2017-07-22 16:48:58 +0000 |
| commit | b7af668553a11153b542b3b4bbab7ea56eba8b64 (patch) | |
| tree | 99a118055cbe50416ad5e80b5bc483cdeb1f703c | |
| parent | Fix length checks in EAPOL key frame parsing. (diff) | |
| download | wireguard-openbsd-b7af668553a11153b542b3b4bbab7ea56eba8b64.tar.xz wireguard-openbsd-b7af668553a11153b542b3b4bbab7ea56eba8b64.zip | |
Add frame length range checks to the input path of iwm(4).
No security benefit since the firmware has DMA access but we should
not have such bad examples in our source tree.
ok kevlo@
| -rw-r--r-- | sys/dev/pci/if_iwm.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/sys/dev/pci/if_iwm.c b/sys/dev/pci/if_iwm.c index 597c898af10..88cbcd7498b 100644 --- a/sys/dev/pci/if_iwm.c +++ b/sys/dev/pci/if_iwm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_iwm.c,v 1.202 2017/07/16 23:38:36 stsp Exp $ */ +/* $OpenBSD: if_iwm.c,v 1.203 2017/07/22 16:48:58 stsp Exp $ */ /* * Copyright (c) 2014, 2016 genua gmbh <info@genua.de> @@ -3357,6 +3357,15 @@ iwm_rx_rx_mpdu(struct iwm_softc *sc, struct iwm_rx_packet *pkt, rx_res = (struct iwm_rx_mpdu_res_start *)pkt->data; wh = (struct ieee80211_frame *)(pkt->data + sizeof(*rx_res)); len = le16toh(rx_res->byte_count); + if (len < IEEE80211_MIN_LEN) { + ic->ic_stats.is_rx_tooshort++; + IC2IFP(ic)->if_ierrors++; + return; + } + if (len > IWM_RBUF_SIZE) { + IC2IFP(ic)->if_ierrors++; + return; + } rx_pkt_status = le32toh(*(uint32_t *)(pkt->data + sizeof(*rx_res) + len)); |