update kernel to 5.10.198

hc

2024-01-03 2f7c68cb55ecb7331f2381deb497c27155f32faf

 kernel/drivers/net/wireless/marvell/mwifiex/sta_rx.c
..
..
@@ -98,12 +98,23 @@
98
98
 	rx_pkt_len = le16_to_cpu(local_rx_pd->rx_pkt_length);
99
99
 	rx_pkt_hdr = (void *)local_rx_pd + rx_pkt_off;
100
100
 
101
-	if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header,
102
-		     sizeof(bridge_tunnel_header))) ||
103
-	    (!memcmp(&rx_pkt_hdr->rfc1042_hdr, rfc1042_header,
104
-		     sizeof(rfc1042_header)) &&
105
-	     ntohs(rx_pkt_hdr->rfc1042_hdr.snap_type) != ETH_P_AARP &&
106
-	     ntohs(rx_pkt_hdr->rfc1042_hdr.snap_type) != ETH_P_IPX)) {
101
+	if (sizeof(rx_pkt_hdr->eth803_hdr) + sizeof(rfc1042_header) +
102
+	    rx_pkt_off > skb->len) {
103
+		mwifiex_dbg(priv->adapter, ERROR,
104
+			    "wrong rx packet offset: len=%d, rx_pkt_off=%d\n",
105
+			    skb->len, rx_pkt_off);
106
+		priv->stats.rx_dropped++;
107
+		dev_kfree_skb_any(skb);
108
+		return -1;
109
+	}
110
+
111
+	if (sizeof(*rx_pkt_hdr) + rx_pkt_off <= skb->len &&
112
+	    ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header,
113
+		      sizeof(bridge_tunnel_header))) ||
114
+	     (!memcmp(&rx_pkt_hdr->rfc1042_hdr, rfc1042_header,
115
+		      sizeof(rfc1042_header)) &&
116
+	      ntohs(rx_pkt_hdr->rfc1042_hdr.snap_type) != ETH_P_AARP &&
117
+	      ntohs(rx_pkt_hdr->rfc1042_hdr.snap_type) != ETH_P_IPX))) {
107
118
 		/*
108
119
 		 *  Replace the 803 header and rfc1042 header (llc/snap) with an
109
120
 		 *    EthernetII header, keep the src/dst and snap_type
..
..
@@ -206,7 +217,8 @@
206
217
 
207
218
 	rx_pkt_hdr = (void *)local_rx_pd + rx_pkt_offset;
208
219
 
209
-	if ((rx_pkt_offset + rx_pkt_length) > (u16) skb->len) {
220
+	if ((rx_pkt_offset + rx_pkt_length) > skb->len ||
221
+	    sizeof(rx_pkt_hdr->eth803_hdr) + rx_pkt_offset > skb->len) {
210
222
 		mwifiex_dbg(adapter, ERROR,
211
223
 			    "wrong rx packet: len=%d, rx_pkt_offset=%d, rx_pkt_length=%d\n",
212
224
 			    skb->len, rx_pkt_offset, rx_pkt_length);