ath10k: pci: fix memcpy size of bmi response

A compromized ath10k peripheral is able to control the size argument of memcpy in ath10k_pci_hif_exchange_bmi_msg. The min result from previous line is not used as the size argument for memcpy. Instead, xfer.resp_len comes from untrusted stream dma input. The value comes from "nbytes" in ath10k_pci_bmi_recv_data, which is set inside _ath10k_ce_completed_recv_next_nolock with the line nbytes = __le16_to_cpu(sdesc.nbytes); sdesc is a stream dma region which device can write to. Signed-off-by: Zekun Shen <bruceshenzk@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20200616132544.17478-1-bruceshenzk@gmail.com
2026-06-04 18:19:28 +09:00 · 2020-06-16 09:25:43 -04:00
parent 93a5b66880
commit aed9529725
1 changed files with 1 additions and 1 deletions
--- a/drivers/net/wireless/ath/ath10k/pci.c
+++ b/drivers/net/wireless/ath/ath10k/pci.c
@@ -2184,7 +2184,7 @@ err_req:

 	if (ret == 0 && resp_len) {
 		*resp_len = min(*resp_len, xfer.resp_len);
-		memcpy(resp, tresp, xfer.resp_len);
+		memcpy(resp, tresp, *resp_len);
 	}
 err_dma:
 	kfree(treq);