On Tue, Apr 30, 2024 at 07:07:39PM +0200, Johan Hovold wrote:
> Add the missing sanity checks when parsing the firmware files before
> downloading them to avoid accessing and corrupting memory beyond the
> vmalloced buffer.
>
> Fixes: 83e81961ff7e ("Bluetooth: btqca: Introduce generic QCA ROME support")
> Cc: stable@xxxxxxxxxxxxxxx # 4.10
> Signed-off-by: Johan Hovold <johan+linaro@xxxxxxxxxx>
> ---
> drivers/bluetooth/btqca.c | 38 ++++++++++++++++++++++++++++++++------
> 1 file changed, 32 insertions(+), 6 deletions(-)
> static int qca_tlv_send_segment(struct hci_dev *hdev, int seg_size,
> @@ -532,7 +556,9 @@ static int qca_download_firmware(struct hci_dev *hdev,
> memcpy(data, fw->data, size);
> release_firmware(fw);
>
> - qca_tlv_check_data(hdev, config, data, soc_type);
> + ret = qca_tlv_check_data(hdev, config, data, size, soc_type);
> + if (ret)
> + return ret;
Bah, I realised late last night that I had forgotten to fix this error
path before posting v2. This was supposed to say
goto out;
to make sure the firmware buffer is released in case we ever encounter
malformed firmware.
I'll send a follow-up patch.
Johan
