From: stsp Date: Tue, 4 Jan 2022 15:55:28 +0000 (+0000) Subject: fix length boundary checks for incoming packets in iwm/iwx X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=0df2aed8ec8403ff1eb2a82ffe4ade4d74598690;p=openbsd fix length boundary checks for incoming packets in iwm/iwx The minimum length and the maximum length required were both too low, due to an error in accounting for the 4-byte packet length+flags header. Patch by Christian Ehrhardt --- diff --git a/sys/dev/pci/if_iwm.c b/sys/dev/pci/if_iwm.c index 6bd432fba47..4e24845cc29 100644 --- a/sys/dev/pci/if_iwm.c +++ b/sys/dev/pci/if_iwm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_iwm.c,v 1.386 2022/01/04 15:53:57 stsp Exp $ */ +/* $OpenBSD: if_iwm.c,v 1.387 2022/01/04 15:55:28 stsp Exp $ */ /* * Copyright (c) 2014, 2016 genua gmbh @@ -10586,8 +10586,7 @@ iwm_rx_pkt(struct iwm_softc *sc, struct iwm_rx_data *data, struct mbuf_list *ml) break; len = sizeof(pkt->len_n_flags) + iwm_rx_packet_len(pkt); - if (len < sizeof(pkt->hdr) || - len > (IWM_RBUF_SIZE - offset - minsz)) + if (len < minsz || len > (IWM_RBUF_SIZE - offset)) break; if (code == IWM_REPLY_RX_MPDU_CMD && ++nmpdu == 1) { diff --git a/sys/dev/pci/if_iwx.c b/sys/dev/pci/if_iwx.c index 98e1e7da6a1..5dd6eed3612 100644 --- a/sys/dev/pci/if_iwx.c +++ b/sys/dev/pci/if_iwx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_iwx.c,v 1.129 2022/01/04 15:53:57 stsp Exp $ */ +/* $OpenBSD: if_iwx.c,v 1.130 2022/01/04 15:55:28 stsp Exp $ */ /* * Copyright (c) 2014, 2016 genua gmbh @@ -8613,8 +8613,7 @@ iwx_rx_pkt(struct iwx_softc *sc, struct iwx_rx_data *data, struct mbuf_list *ml) } len = sizeof(pkt->len_n_flags) + iwx_rx_packet_len(pkt); - if (len < sizeof(pkt->hdr) || - len > (IWX_RBUF_SIZE - offset - minsz)) + if (len < minsz || len > (IWX_RBUF_SIZE - offset)) break; if (code == IWX_REPLY_RX_MPDU_CMD && ++nmpdu == 1) {