forked from ~ljy/RK356X_SDK_RELEASE

blame | history | patch | commit | commitdiff
hc
2024-01-03 2f7c68cb55ecb7331f2381deb497c27155f32faf 
 kernel/drivers/net/wireless/marvell/mwifiex/uap_txrx.c
....@@ -115,6 +115,16 @@
115115 		return;
116116 	}
117117 
118
+	if (sizeof(*rx_pkt_hdr) +
119
+	    le16_to_cpu(uap_rx_pd->rx_pkt_offset) > skb->len) {
120
+		mwifiex_dbg(adapter, ERROR,
121
+			    "wrong rx packet offset: len=%d,rx_pkt_offset=%d\n",
122
+			    skb->len, le16_to_cpu(uap_rx_pd->rx_pkt_offset));
123
+		priv->stats.rx_dropped++;
124
+		dev_kfree_skb_any(skb);
125
+		return;
126
+	}
127
+
118128 	if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header,
119129 		     sizeof(bridge_tunnel_header))) ||
120130 	    (!memcmp(&rx_pkt_hdr->rfc1042_hdr, rfc1042_header,
....@@ -255,7 +265,15 @@
255265 
256266 	if (is_multicast_ether_addr(ra)) {
257267 		skb_uap = skb_copy(skb, GFP_ATOMIC);
258
-		mwifiex_uap_queue_bridged_pkt(priv, skb_uap);
268
+		if (likely(skb_uap)) {
269
+			mwifiex_uap_queue_bridged_pkt(priv, skb_uap);
270
+		} else {
271
+			mwifiex_dbg(adapter, ERROR,
272
+				    "failed to copy skb for uAP\n");
273
+			priv->stats.rx_dropped++;
274
+			dev_kfree_skb_any(skb);
275
+			return -1;
276
+		}
259277 	} else {
260278 		if (mwifiex_get_sta_entry(priv, ra)) {
261279 			/* Requeue Intra-BSS packet */
....@@ -379,6 +397,16 @@
379397 	rx_pkt_type = le16_to_cpu(uap_rx_pd->rx_pkt_type);
380398 	rx_pkt_hdr = (void *)uap_rx_pd + le16_to_cpu(uap_rx_pd->rx_pkt_offset);
381399 
400
+	if (le16_to_cpu(uap_rx_pd->rx_pkt_offset) +
401
+	    sizeof(rx_pkt_hdr->eth803_hdr) > skb->len) {
402
+		mwifiex_dbg(adapter, ERROR,
403
+			    "wrong rx packet for struct ethhdr: len=%d, offset=%d\n",
404
+			    skb->len, le16_to_cpu(uap_rx_pd->rx_pkt_offset));
405
+		priv->stats.rx_dropped++;
406
+		dev_kfree_skb_any(skb);
407
+		return 0;
408
+	}
409
+
382410 	ether_addr_copy(ta, rx_pkt_hdr->eth803_hdr.h_source);
383411 
384412 	if ((le16_to_cpu(uap_rx_pd->rx_pkt_offset) +