dw3000: added size check to avoid OOB

Bug: 250696102 Change-Id: Ic352a1184ca61a7247aff51585da819897343818 Signed-off-by: Clément Viel <clement.viel@qorvo.com>
author: Ilhan FOSSE <ilhan.fosse@qorvo.com> 2022-11-29 12:12:13 +0100
committer: Clément Viel <clement.viel@qorvo.com> 2022-12-01 16:25:42 +0100
commit: 3c21e3f7c23c6d40bb5e235bbb99b79b27b06024 (patch)
tree: 5595f0133441d2cbda3f01264d9546596cd8c7fd /kernel
parent: cfa43205823e95e0b1ea7495b8de13fb00a8c743 (diff)
download: uwb-3c21e3f7c23c6d40bb5e235bbb99b79b27b06024.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/kernel/drivers/net/ieee802154/dw3000_nfcc_coex_msg.c b/kernel/drivers/net/ieee802154/dw3000_nfcc_coex_msg.c
index db6f253..18b74be 100644
--- a/kernel/drivers/net/ieee802154/dw3000_nfcc_coex_msg.c
+++ b/kernel/drivers/net/ieee802154/dw3000_nfcc_coex_msg.c
@@ -33,6 +33,7 @@
 #define TLV_U32_LEN (4 + 1) /* u32 + ack/nack. */
 #define TLV_SLOTS_LEN(nbslots) \
 	(1 + (8 * (nbslots)) + 1) /* nslots + slots + ack/nack. */
+#define TLV_SLOTS_LIST_SIZE_MAX (1 + (8 * (TLV_MAX_NB_SLOTS)))
 #define MSG_NEXT_TLV(buffer, offset) \
 	(struct dw3000_nfcc_coex_tlv *)((buffer)->msg.tlvs + (offset))
 
@@ -272,6 +273,9 @@ dw3000_nfcc_coex_tlvs_check(struct dw3000 *dw,
 			/* Reject a new TLV with same type. Behavior not defined. */
 			if (slot_list)
 				return -EINVAL;
+			/* Check if the tlv size isn't exceeding the list max size */
+			if (tlv->len > TLV_SLOTS_LIST_SIZE_MAX)
+				return -EINVAL;
 			slot_list = (const struct dw3000_nfcc_coex_tlv_slot_list
 					     *)&tlv->tlv;
 			/* Update rx_msg_info. */
author	Ilhan FOSSE <ilhan.fosse@qorvo.com>	2022-11-29 12:12:13 +0100
committer	Clément Viel <clement.viel@qorvo.com>	2022-12-01 16:25:42 +0100
commit	3c21e3f7c23c6d40bb5e235bbb99b79b27b06024 (patch)
tree	5595f0133441d2cbda3f01264d9546596cd8c7fd /kernel
parent	cfa43205823e95e0b1ea7495b8de13fb00a8c743 (diff)
download	uwb-3c21e3f7c23c6d40bb5e235bbb99b79b27b06024.tar.gz