fix length boundary checks for incoming packets in iwm/iwx

The minimum length and the maximum length required were both too low,
due to an error in accounting for the 4-byte packet length+flags header.

Patch by Christian Ehrhardt

diff --git a/sys/dev/pci/if_iwm.c b/sys/dev/pci/if_iwm.c
index 6bd432f..4e24845 100644 (file)
--- a/sys/dev/pci/if_iwm.c
+++ b/sys/dev/pci/if_iwm.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: if_iwm.c,v 1.386 2022/01/04 15:53:57 stsp Exp $       */
+/*     $OpenBSD: if_iwm.c,v 1.387 2022/01/04 15:55:28 stsp Exp $       */
 
 /*
  * Copyright (c) 2014, 2016 genua gmbh <info@genua.de>
@@ -10586,8 +10586,7 @@ iwm_rx_pkt(struct iwm_softc *sc, struct iwm_rx_data *data, struct mbuf_list *ml)
                        break;
 
                len = sizeof(pkt->len_n_flags) + iwm_rx_packet_len(pkt);
-               if (len < sizeof(pkt->hdr) ||
-                   len > (IWM_RBUF_SIZE - offset - minsz))
+               if (len < minsz || len > (IWM_RBUF_SIZE - offset))
                        break;
 
                if (code == IWM_REPLY_RX_MPDU_CMD && ++nmpdu == 1) {

diff --git a/sys/dev/pci/if_iwx.c b/sys/dev/pci/if_iwx.c
index 98e1e7d..5dd6eed 100644 (file)
--- a/sys/dev/pci/if_iwx.c
+++ b/sys/dev/pci/if_iwx.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: if_iwx.c,v 1.129 2022/01/04 15:53:57 stsp Exp $       */
+/*     $OpenBSD: if_iwx.c,v 1.130 2022/01/04 15:55:28 stsp Exp $       */
 
 /*
  * Copyright (c) 2014, 2016 genua gmbh <info@genua.de>
@@ -8613,8 +8613,7 @@ iwx_rx_pkt(struct iwx_softc *sc, struct iwx_rx_data *data, struct mbuf_list *ml)
                }
 
                len = sizeof(pkt->len_n_flags) + iwx_rx_packet_len(pkt);
-               if (len < sizeof(pkt->hdr) ||
-                   len > (IWX_RBUF_SIZE - offset - minsz))
+               if (len < minsz || len > (IWX_RBUF_SIZE - offset))
                        break;
 
                if (code == IWX_REPLY_RX_MPDU_CMD && ++nmpdu == 1) {