wil6210: Sanity check for reported DMA length

If Rx descriptor contains garbage, it is possible to access memory beyond
allocated buffer.

Check this condition and drop Rx if reported length is
unreasonable large

Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/drivers/net/wireless/ath/wil6210/txrx.c b/drivers/net/wireless/ath/wil6210/txrx.c
index 6a20f0a18622cf2eeb02798772d2232d35af132b..92f18215014cec265b2485c840b4a3c9134a958d 100644 (file)
--- a/drivers/net/wireless/ath/wil6210/txrx.c
+++ b/drivers/net/wireless/ath/wil6210/txrx.c
@@ -349,7 +349,13 @@ static struct sk_buff *wil_vring_reap_rx(struct wil6210_priv *wil,
 
        d1 = wil_skb_rxdesc(skb);
        *d1 = *d;
+       wil_vring_advance_head(vring, 1);
        dmalen = le16_to_cpu(d1->dma.length);
+       if (dmalen > sz) {
+               wil_err(wil, "Rx size too large: %d bytes!\n", dmalen);
+               kfree(skb);
+               return NULL;
+       }
        skb_trim(skb, dmalen);
 
        wil->stats.last_mcs_rx = wil_rxdesc_mcs(d1);
@@ -362,8 +368,6 @@ static struct sk_buff *wil_vring_reap_rx(struct wil6210_priv *wil,
        wil_hex_dump_txrx("Rx ", DUMP_PREFIX_NONE, 32, 4,
                          (const void *)d, sizeof(*d), false);
 
-       wil_vring_advance_head(vring, 1);
-
        /* no extra checks if in sniffer mode */
        if (ndev->type != ARPHRD_ETHER)
                return skb;