From 0df2aed8ec8403ff1eb2a82ffe4ade4d74598690 Mon Sep 17 00:00:00 2001
From: stsp <stsp@openbsd.org>
Date: Tue, 4 Jan 2022 15:55:28 +0000
Subject: [PATCH] fix length boundary checks for incoming packets in iwm/iwx

The minimum length and the maximum length required were both too low,
due to an error in accounting for the 4-byte packet length+flags header.

Patch by Christian Ehrhardt
---
 sys/dev/pci/if_iwm.c | 5 ++---
 sys/dev/pci/if_iwx.c | 5 ++---
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/sys/dev/pci/if_iwm.c b/sys/dev/pci/if_iwm.c
index 6bd432fba47..4e24845cc29 100644
--- a/sys/dev/pci/if_iwm.c
+++ b/sys/dev/pci/if_iwm.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_iwm.c,v 1.386 2022/01/04 15:53:57 stsp Exp $	*/
+/*	$OpenBSD: if_iwm.c,v 1.387 2022/01/04 15:55:28 stsp Exp $	*/
 
 /*
  * Copyright (c) 2014, 2016 genua gmbh <info@genua.de>
@@ -10586,8 +10586,7 @@ iwm_rx_pkt(struct iwm_softc *sc, struct iwm_rx_data *data, struct mbuf_list *ml)
 			break;
 
 		len = sizeof(pkt->len_n_flags) + iwm_rx_packet_len(pkt);
-		if (len < sizeof(pkt->hdr) ||
-		    len > (IWM_RBUF_SIZE - offset - minsz))
+		if (len < minsz || len > (IWM_RBUF_SIZE - offset))
 			break;
 
 		if (code == IWM_REPLY_RX_MPDU_CMD && ++nmpdu == 1) {
diff --git a/sys/dev/pci/if_iwx.c b/sys/dev/pci/if_iwx.c
index 98e1e7da6a1..5dd6eed3612 100644
--- a/sys/dev/pci/if_iwx.c
+++ b/sys/dev/pci/if_iwx.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_iwx.c,v 1.129 2022/01/04 15:53:57 stsp Exp $	*/
+/*	$OpenBSD: if_iwx.c,v 1.130 2022/01/04 15:55:28 stsp Exp $	*/
 
 /*
  * Copyright (c) 2014, 2016 genua gmbh <info@genua.de>
@@ -8613,8 +8613,7 @@ iwx_rx_pkt(struct iwx_softc *sc, struct iwx_rx_data *data, struct mbuf_list *ml)
 		}
 
 		len = sizeof(pkt->len_n_flags) + iwx_rx_packet_len(pkt);
-		if (len < sizeof(pkt->hdr) ||
-		    len > (IWX_RBUF_SIZE - offset - minsz))
+		if (len < minsz || len > (IWX_RBUF_SIZE - offset))
 			break;
 
 		if (code == IWX_REPLY_RX_MPDU_CMD && ++nmpdu == 1) {
-- 
2.20.1