Commit 2f5124e8 authored by Wen Gong's avatar Wen Gong Committed by Kalle Valo
Browse files

wifi: ath12k: add check max message length while scanning with extraie 



Currently the extraie length is directly used to allocate skb buffer. When
the length of skb is greater than the max message length which firmware
supports, error will happen in firmware side.

Hence add check for the skb length and drop extraie when overflow and
print a message.

Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4

Signed-off-by: default avatarWen Gong <quic_wgong@quicinc.com>
Reviewed-by: default avatarJeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: default avatarKalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230809081657.13858-1-quic_wgong@quicinc.com
parent 1e413461

drivers/net/wireless/ath/ath12k/wmi.c

+13 −7
Original line number Diff line number Diff line
@@ -2239,12 +2239,6 @@ int ath12k_wmi_send_scan_start_cmd(struct ath12k *ar, 
	if (arg->num_bssid)

		len += sizeof(*bssid) * arg->num_bssid;



	len += TLV_HDR_SIZE;

	if (arg->extraie.len)

		extraie_len_with_pad =

			roundup(arg->extraie.len, sizeof(u32));

	len += extraie_len_with_pad;



	if (arg->num_hint_bssid)

		len += TLV_HDR_SIZE +

		       arg->num_hint_bssid * sizeof(*hint_bssid);
@@ -2253,6 +2247,18 @@ int ath12k_wmi_send_scan_start_cmd(struct ath12k *ar, 
		len += TLV_HDR_SIZE +

		       arg->num_hint_s_ssid * sizeof(*s_ssid);



	len += TLV_HDR_SIZE;

	if (arg->extraie.len)

		extraie_len_with_pad =

			roundup(arg->extraie.len, sizeof(u32));

	if (extraie_len_with_pad <= (wmi->wmi_ab->max_msg_len[ar->pdev_idx] - len)) {

		len += extraie_len_with_pad;

	} else {

		ath12k_warn(ar->ab, "discard large size %d bytes extraie for scan start\n",

			    arg->extraie.len);

		extraie_len_with_pad = 0;

	}



	skb = ath12k_wmi_alloc_skb(wmi->wmi_ab, len);

	if (!skb)

		return -ENOMEM;
@@ -2342,7 +2348,7 @@ int ath12k_wmi_send_scan_start_cmd(struct ath12k *ar, 
	tlv->header = ath12k_wmi_tlv_hdr(WMI_TAG_ARRAY_BYTE, len);

	ptr += TLV_HDR_SIZE;



	if (arg->extraie.len)

	if (extraie_len_with_pad)

		memcpy(ptr, arg->extraie.ptr,

		       arg->extraie.len);