[PATCH] wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi

[Jeff Johnson]

On 11/22/2024 1:07 PM, Jeff Johnson wrote:
> On 11/22/2024 9:42 AM, Tamizh Chelvam Raja wrote:
>> From: Manish Dharanenthiran <quic_mdharane at quicinc.com>
>>
>> In certain cases, hardware might provide packets with a
>> length greater than the maximum native Wi-Fi header length.
>> This can lead to accessing and modifying fields in the header
>> within the ath12k_dp_rx_h_undecap_nwifi function for
>> DP_RX_DECAP_TYPE_NATIVE_WIFI decap type and
>> potentially resulting in invalid data access and memory corruption.
>>
>> Add a sanity check before processing the SKB to prevent invalid
>> data access in the undecap native Wi-Fi function for the
>> DP_RX_DECAP_TYPE_NATIVE_WIFI decap type.
>>
>> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1
>>
>> Signed-off-by: Manish Dharanenthiran <quic_mdharane at quicinc.com>
>> Signed-off-by: Tamizh Chelvam Raja <quic_tamizhr at quicinc.com>
> 
> Acked-by: Jeff Johnson <quic_jjohnson at quicinc.com>
> 
> One nit...
> 
>> ---
>>  drivers/net/wireless/ath/ath12k/dp_rx.c | 42 +++++++++++++++++++++++--
>>  1 file changed, 40 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c
>> index 0fb39c174475..26ff9a346dca 100644
>> --- a/drivers/net/wireless/ath/ath12k/dp_rx.c
>> +++ b/drivers/net/wireless/ath/ath12k/dp_rx.c
>> @@ -2474,6 +2474,29 @@ static void ath12k_dp_rx_deliver_msdu(struct ath12k *ar, struct napi_struct *nap
>>  	ieee80211_rx_napi(ath12k_ar_to_hw(ar), pubsta, msdu, napi);
>>  }
>>  
>> +static bool ath12k_dp_rx_check_nwifi_hdr_len_valid(struct ath12k_base *ab,
>> +						   struct hal_rx_desc *rx_desc,
>> +						   struct sk_buff *msdu)
>> +{
>> +	u8 decap_type;
>> +	struct ieee80211_hdr *hdr;
>> +	u32 hdr_len;
> 
> try to keep reverse xmas tree format

will you be posting a v2?