Make the mwifiex_dbg() into a warning though. This is an error
condition and shouldn't be hidden.
mwifiex_dbg(priv->adapter, INFO,
"%pM tid=%d seq_num=%d bitmap_len=%d\n",
tlv_rxba->mac, tlv_rxba->tid, tlv_seq_num,
I wanted to used `sizeof(*tlv_rxba) + tlv_bitmap_len` here instead of
`sizeof(tlv_rxba->header) + tlv_len` to avoid any issues in case there
is any (buggy) discrepancy between `tlv_len` and `tlv_bitmap_len`.
This is when for some (weird) reason
`tlv_len - (sizeof(*tlv_rxba) - sizeof(tlv_rxba->header)) != tlv_bitmap_len`
tlv_len absolutely should also be checked. But you don't need that
condition, just do the same thing right after tlv_len is retrieved from
the header:
if (sizeof(tlv_rxba->header) + tlv_len > tlv_buf_left) {
<warn>
return;
}
Thanks for all the feedback, Dan:
https://lore.kernel.org/linux-hardening/cover.1692931954.git.gustavoars@xxxxxxxxxx/
--
Gustavo
