[PATCH] wifi: ath10k: perform buffer size check in ath10k_wow_convert_8023_to_80211()
Kalle Valo
kvalo at kernel.org
Thu Jan 9 05:05:00 PST 2025
Dmitry Antipov <dmantipov at yandex.ru> writes:
> Looking through the following:
>
> -> ath10k_vif_wow_set_wakeups()
> -> ath10k_wow_convert_8023_to_80211()
> ...
> memcpy(..., ..., pattern_len); [1]
> ...
> <- ...
> if (WARN_ON(...packet_len > WOW_MAX_PATTERN_SIZE)) [2]
> ...
>
> I've found that [2] makes no sense after [1]. I.e. check for possible
> buffer overflow should be performed prior to touching both 'pattern' and
> 'mask' buffers with 'memcpy()' in 'ath10k_wow_convert_8023_to_80211()'.
> Compile tested only.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Signed-off-by: Dmitry Antipov <dmantipov at yandex.ru>
This code path should be tested on a real device, can anyone help with
that?
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
More information about the ath10k
mailing list