wcnss: fix integer underflow in wcnss_wlan

Fix integer underflow which may eventually results in an buffer overread in wcnss_nvbin_dnld when the firmware file size is less than 4 Byte. Add a check on file size before performing arithmetic operation which avoids buffer underflow. CRs-Fixed: 2279226 Change-Id: Ia7fdb859e8c999f8a2e81c957c7cab35ef312844 Signed-off-by: Sandeep Singh <sandsing@codeaurora.org>
author: Sandeep Singh <sandsing@codeaurora.org> 2018-10-04 15:53:23 +0530
committer: Sandeep Singh <sandsing@codeaurora.org> 2018-10-09 11:32:50 +0530
commit: 5bad01206d00b2bf52f78bb78c46c82130c7b2c6 (patch)
tree: 101c84b651fa37c1e4f6f5463a29c1c55e89303c
parent: 3b8fc0b7a3fcc809378d82dbf66b417e186af205 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/net/wireless/wcnss/wcnss_wlan.c b/drivers/net/wireless/wcnss/wcnss_wlan.c
index 13ae5c3c2471..b97e550cba5d 100644
--- a/drivers/net/wireless/wcnss/wcnss_wlan.c
+++ b/drivers/net/wireless/wcnss/wcnss_wlan.c
@@ -2368,6 +2368,12 @@ static void wcnss_nvbin_dnld(void)
 		goto out;
 	}
 
+	if (nv->size <= 4) {
+		pr_err("wcnss: %s: request_firmware failed for %s (file size = %zu)\n",
+		       __func__, NVBIN_FILE, nv->size);
+		goto out;
+	}
+
 	/* First 4 bytes in nv blob is validity bitmap.
 	 * We cannot validate nv, so skip those 4 bytes.
 	 */
author	Sandeep Singh <sandsing@codeaurora.org>	2018-10-04 15:53:23 +0530
committer	Sandeep Singh <sandsing@codeaurora.org>	2018-10-09 11:32:50 +0530
commit	5bad01206d00b2bf52f78bb78c46c82130c7b2c6 (patch)
tree	101c84b651fa37c1e4f6f5463a29c1c55e89303c
parent	3b8fc0b7a3fcc809378d82dbf66b417e186af205 (diff)