!15814 wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads (5acc828b) · Commits · EulixOS / Software / Kernel

drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c

+17 −0

Original line number	Diff line number	Diff line
		@@ -96,6 +96,9 @@
		#define BRCMF_ASSOC_PARAMS_FIXED_SIZE \
		(sizeof(struct brcmf_assoc_params_le) - sizeof(u16))

		#define BRCMF_MAX_CHANSPEC_LIST \
		(BRCMF_DCMD_MEDLEN / sizeof(__le32) - 1)

		static bool check_vif_up(struct brcmf_cfg80211_vif *vif)
		{
		if (!test_bit(BRCMF_VIF_STATUS_READY, &vif->sme_state)) {
		@@ -5961,6 +5964,13 @@ static int brcmf_construct_chaninfo(struct brcmf_cfg80211_info *cfg,
		band->channels[i].flags = IEEE80211_CHAN_DISABLED;

		total = le32_to_cpu(list->count);
		if (total > BRCMF_MAX_CHANSPEC_LIST) {
		brcmf_err("Invalid count of channel Spec. (%u)\n",
		total);
		err = -EINVAL;
		goto fail_pbuf;
		}

		for (i = 0; i < total; i++) {
		ch.chspec = (u16)le32_to_cpu(list->element[i]);
		cfg->d11inf.decchspec(&ch);
		@@ -6094,6 +6104,13 @@ static int brcmf_enable_bw40_2g(struct brcmf_cfg80211_info *cfg)
		band = cfg_to_wiphy(cfg)->bands[NL80211_BAND_2GHZ];
		list = (struct brcmf_chanspec_list *)pbuf;
		num_chan = le32_to_cpu(list->count);
		if (num_chan > BRCMF_MAX_CHANSPEC_LIST) {
		brcmf_err("Invalid count of channel Spec. (%u)\n",
		num_chan);
		kfree(pbuf);
		return -EINVAL;
		}

		for (i = 0; i < num_chan; i++) {
		ch.chspec = (u16)le32_to_cpu(list->element[i]);
		cfg->d11inf.decchspec(&ch);