Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 44e0f15b authored by Dan Carpenter's avatar Dan Carpenter Committed by Greg Kroah-Hartman
Browse files

libertas_tf: prevent underflow in process_cmdrequest() 



[ Upstream commit 3348ef6a6a126706d6a73ed40c18d8033df72783 ]

If recvlength is less than MESSAGE_HEADER_LEN (4) we would end up
corrupting memory.

Fixes: c305a19a ("libertas_tf: usb specific functions")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 14e0b9bb

drivers/net/wireless/marvell/libertas_tf/if_usb.c

+3 −2
Original line number Original line Diff line number Diff line
@@ -605,9 +605,10 @@ static inline void process_cmdrequest(int recvlength, uint8_t *recvbuff, 
{

{

	unsigned long flags;

	unsigned long flags;





	if (recvlength > LBS_CMD_BUFFER_SIZE) {

	if (recvlength < MESSAGE_HEADER_LEN ||

	    recvlength > LBS_CMD_BUFFER_SIZE) {

		lbtf_deb_usbd(&cardp->udev->dev,

		lbtf_deb_usbd(&cardp->udev->dev,

			     "The receive buffer is too large\n");

			     "The receive buffer is invalid: %d\n", recvlength);

		kfree_skb(skb);

		kfree_skb(skb);

		return;

		return;

	}

	}