Commit 3348ef6a authored by Dan Carpenter's avatar Dan Carpenter Committed by Kalle Valo

libertas_tf: prevent underflow in process_cmdrequest()

If recvlength is less than MESSAGE_HEADER_LEN (4) we would end up
corrupting memory.

Fixes: c305a19a ("libertas_tf: usb specific functions")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
parent 62a25dc5
...@@ -605,9 +605,10 @@ static inline void process_cmdrequest(int recvlength, uint8_t *recvbuff, ...@@ -605,9 +605,10 @@ static inline void process_cmdrequest(int recvlength, uint8_t *recvbuff,
{ {
unsigned long flags; unsigned long flags;
if (recvlength > LBS_CMD_BUFFER_SIZE) { if (recvlength < MESSAGE_HEADER_LEN ||
recvlength > LBS_CMD_BUFFER_SIZE) {
lbtf_deb_usbd(&cardp->udev->dev, lbtf_deb_usbd(&cardp->udev->dev,
"The receive buffer is too large\n"); "The receive buffer is invalid: %d\n", recvlength);
kfree_skb(skb); kfree_skb(skb);
return; return;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment