Home Home > GIT Browse > SLE12-SP4
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOliver Neukum <oneukum@suse.com>2019-01-16 15:07:50 +0100
committerOliver Neukum <oneukum@suse.com>2019-01-16 17:48:46 +0100
commitfbaf1562147d90118e47c702183f1c7566b2dc6e (patch)
tree34e0c90ca903a97f6ee7c4c4a0aa74844e64033c
parent9544c6e0523e08530fc68a9c39024cf5fc70a210 (diff)
libertas_tf: prevent underflow in process_cmdrequest()
(bsc#1119086).
-rw-r--r--patches.fixes/0001-libertas_tf-prevent-underflow-in-process_cmdrequest.patch34
-rw-r--r--series.conf1
2 files changed, 35 insertions, 0 deletions
diff --git a/patches.fixes/0001-libertas_tf-prevent-underflow-in-process_cmdrequest.patch b/patches.fixes/0001-libertas_tf-prevent-underflow-in-process_cmdrequest.patch
new file mode 100644
index 0000000000..1ea84de7f0
--- /dev/null
+++ b/patches.fixes/0001-libertas_tf-prevent-underflow-in-process_cmdrequest.patch
@@ -0,0 +1,34 @@
+From 3348ef6a6a126706d6a73ed40c18d8033df72783 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 14 Aug 2018 12:07:48 +0300
+Subject: [PATCH] libertas_tf: prevent underflow in process_cmdrequest()
+Git-commit: 3348ef6a6a126706d6a73ed40c18d8033df72783
+Patch-mainline: v4.20
+References: bsc#1119086
+
+If recvlength is less than MESSAGE_HEADER_LEN (4) we would end up
+corrupting memory.
+
+Fixes: c305a19a0d0a ("libertas_tf: usb specific functions")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/net/wireless/marvell/libertas_tf/if_usb.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/marvell/libertas_tf/if_usb.c
++++ b/drivers/net/wireless/marvell/libertas_tf/if_usb.c
+@@ -603,9 +603,10 @@ static inline void process_cmdrequest(in
+ struct if_usb_card *cardp,
+ struct lbtf_private *priv)
+ {
+- if (recvlength > LBS_CMD_BUFFER_SIZE) {
++ if (recvlength < MESSAGE_HEADER_LEN ||
++ recvlength > LBS_CMD_BUFFER_SIZE) {
+ lbtf_deb_usbd(&cardp->udev->dev,
+- "The receive buffer is too large\n");
++ "The receive buffer is invalid %d\n", recvlength);
+ kfree_skb(skb);
+ return;
+ }
diff --git a/series.conf b/series.conf
index ff3fbe2b12..6310da23dc 100644
--- a/series.conf
+++ b/series.conf
@@ -18901,6 +18901,7 @@
patches.fixes/iwlwifi-don-t-WARN-on-trying-to-dump-dead-firmware.patch
patches.drivers/iwlwifi-mvm-fix-BAR-seq-ctrl-reporting.patch
patches.drivers/iwlwifi-mvm-send-BCAST-management-frames-to-the-righ.patch
+ patches.fixes/0001-libertas_tf-prevent-underflow-in-process_cmdrequest.patch
patches.drivers/brcmfmac-fix-for-proper-support-of-160MHz-bandwidth.patch
patches.drivers/iwlwifi-dbg-don-t-crash-if-the-firmware-crashes-in-t.patch
patches.fixes/0001-iwlwifi-fix-non_shared_ant-for-22000-devices.patch