diff options
author | Ilhan FOSSE <ilhan.fosse@qorvo.com> | 2022-11-29 12:12:13 +0100 |
---|---|---|
committer | Clément Viel <clement.viel@qorvo.com> | 2022-12-01 16:25:42 +0100 |
commit | 3c21e3f7c23c6d40bb5e235bbb99b79b27b06024 (patch) | |
tree | 5595f0133441d2cbda3f01264d9546596cd8c7fd /kernel | |
parent | cfa43205823e95e0b1ea7495b8de13fb00a8c743 (diff) | |
download | uwb-3c21e3f7c23c6d40bb5e235bbb99b79b27b06024.tar.gz |
dw3000: added size check to avoid OOB
Bug: 250696102
Change-Id: Ic352a1184ca61a7247aff51585da819897343818
Signed-off-by: Clément Viel <clement.viel@qorvo.com>
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/drivers/net/ieee802154/dw3000_nfcc_coex_msg.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/kernel/drivers/net/ieee802154/dw3000_nfcc_coex_msg.c b/kernel/drivers/net/ieee802154/dw3000_nfcc_coex_msg.c index db6f253..18b74be 100644 --- a/kernel/drivers/net/ieee802154/dw3000_nfcc_coex_msg.c +++ b/kernel/drivers/net/ieee802154/dw3000_nfcc_coex_msg.c @@ -33,6 +33,7 @@ #define TLV_U32_LEN (4 + 1) /* u32 + ack/nack. */ #define TLV_SLOTS_LEN(nbslots) \ (1 + (8 * (nbslots)) + 1) /* nslots + slots + ack/nack. */ +#define TLV_SLOTS_LIST_SIZE_MAX (1 + (8 * (TLV_MAX_NB_SLOTS))) #define MSG_NEXT_TLV(buffer, offset) \ (struct dw3000_nfcc_coex_tlv *)((buffer)->msg.tlvs + (offset)) @@ -272,6 +273,9 @@ dw3000_nfcc_coex_tlvs_check(struct dw3000 *dw, /* Reject a new TLV with same type. Behavior not defined. */ if (slot_list) return -EINVAL; + /* Check if the tlv size isn't exceeding the list max size */ + if (tlv->len > TLV_SLOTS_LIST_SIZE_MAX) + return -EINVAL; slot_list = (const struct dw3000_nfcc_coex_tlv_slot_list *)&tlv->tlv; /* Update rx_msg_info. */ |