[PATCH] wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi

[Tamizh Chelvam Raja (QUIC)]

>On 11/22/2024 1:07 PM, Jeff Johnson wrote:
>> On 11/22/2024 9:42 AM, Tamizh Chelvam Raja wrote:
>>> From: Manish Dharanenthiran <quic_mdharane at quicinc.com>
>>>
>>> In certain cases, hardware might provide packets with a length
>>> greater than the maximum native Wi-Fi header length.
>>> This can lead to accessing and modifying fields in the header within
>>> the ath12k_dp_rx_h_undecap_nwifi function for
>>> DP_RX_DECAP_TYPE_NATIVE_WIFI decap type and potentially resulting in
>>> invalid data access and memory corruption.
>>>
>>> Add a sanity check before processing the SKB to prevent invalid data
>>> access in the undecap native Wi-Fi function for the
>>> DP_RX_DECAP_TYPE_NATIVE_WIFI decap type.
>>>
>>> Tested-on: QCN9274 hw2.0 PCI
>>> WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1
>>>
>>> Signed-off-by: Manish Dharanenthiran <quic_mdharane at quicinc.com>
>>> Signed-off-by: Tamizh Chelvam Raja <quic_tamizhr at quicinc.com>
>>
>> Acked-by: Jeff Johnson <quic_jjohnson at quicinc.com>
>>
>> One nit...
>>
>>> ---
>>>  drivers/net/wireless/ath/ath12k/dp_rx.c | 42
>>> +++++++++++++++++++++++--
>>>  1 file changed, 40 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c
>>> b/drivers/net/wireless/ath/ath12k/dp_rx.c
>>> index 0fb39c174475..26ff9a346dca 100644
>>> --- a/drivers/net/wireless/ath/ath12k/dp_rx.c
>>> +++ b/drivers/net/wireless/ath/ath12k/dp_rx.c
>>> @@ -2474,6 +2474,29 @@ static void ath12k_dp_rx_deliver_msdu(struct
>ath12k *ar, struct napi_struct *nap
>>>  	ieee80211_rx_napi(ath12k_ar_to_hw(ar), pubsta, msdu, napi);  }
>>>
>>> +static bool ath12k_dp_rx_check_nwifi_hdr_len_valid(struct ath12k_base
>*ab,
>>> +						   struct hal_rx_desc *rx_desc,
>>> +						   struct sk_buff *msdu)
>>> +{
>>> +	u8 decap_type;
>>> +	struct ieee80211_hdr *hdr;
>>> +	u32 hdr_len;
>>
>> try to keep reverse xmas tree format
>
>will you be posting a v2?
>
Posted v2 by fixing this.

-Tamizh.