On Wed, Aug 09, 2023 at 12:35:37PM +0300, Dmitry Antipov wrote:
> And I have some doubts on 119585281617 ("wifi: mwifiex: Fix OOB and integer
> underflow when rx packets"). Looking through 'mwifiex_uap_queue_bridged_pkt()'
> again, it seems that 'return' is missing:
>
> if (sizeof(*rx_pkt_hdr) +
> le16_to_cpu(uap_rx_pd->rx_pkt_offset) > skb->len) {
> mwifiex_dbg(adapter, ERROR,
> "wrong rx packet offset: len=%d,rx_pkt_offset=%d\n",
> skb->len, le16_to_cpu(uap_rx_pd->rx_pkt_offset));
> priv->stats.rx_dropped++;
> dev_kfree_skb_any(skb);
> /* HERE */
> }
>
> if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header,
>
> because 'rx_pkt_hdr' points to 'skb->data' plus some offset (see above),
> so reading freed memory with 'memcmp()' causes an undefined behavior.
> And likewise for 'mwifiex_process_rx_packet()' (but not for
> 'mwifiex_process_uap_rx_packet()' where 'return 0' looks correct).
That's...completely unrelated to the post in question, so changing the
subject. But it's also an excellent (and terrible) catch.
Polars or Matthew, can you fix that up in a new patch ASAP?
CC Johannes, in case this patch is going places any time soon.
Brian
