On 11/22/2024 9:42 AM, Tamizh Chelvam Raja wrote:
> From: Manish Dharanenthiran <quic_mdharane@xxxxxxxxxxx>
>
> In certain cases, hardware might provide packets with a
> length greater than the maximum native Wi-Fi header length.
> This can lead to accessing and modifying fields in the header
> within the ath12k_dp_rx_h_undecap_nwifi function for
> DP_RX_DECAP_TYPE_NATIVE_WIFI decap type and
> potentially resulting in invalid data access and memory corruption.
>
> Add a sanity check before processing the SKB to prevent invalid
> data access in the undecap native Wi-Fi function for the
> DP_RX_DECAP_TYPE_NATIVE_WIFI decap type.
>
> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1
>
> Signed-off-by: Manish Dharanenthiran <quic_mdharane@xxxxxxxxxxx>
> Signed-off-by: Tamizh Chelvam Raja <quic_tamizhr@xxxxxxxxxxx>
Acked-by: Jeff Johnson <quic_jjohnson@xxxxxxxxxxx>
One nit...
> ---
> drivers/net/wireless/ath/ath12k/dp_rx.c | 42 +++++++++++++++++++++++--
> 1 file changed, 40 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c
> index 0fb39c174475..26ff9a346dca 100644
> --- a/drivers/net/wireless/ath/ath12k/dp_rx.c
> +++ b/drivers/net/wireless/ath/ath12k/dp_rx.c
> @@ -2474,6 +2474,29 @@ static void ath12k_dp_rx_deliver_msdu(struct ath12k *ar, struct napi_struct *nap
> ieee80211_rx_napi(ath12k_ar_to_hw(ar), pubsta, msdu, napi);
> }
>
> +static bool ath12k_dp_rx_check_nwifi_hdr_len_valid(struct ath12k_base *ab,
> + struct hal_rx_desc *rx_desc,
> + struct sk_buff *msdu)
> +{
> + u8 decap_type;
> + struct ieee80211_hdr *hdr;
> + u32 hdr_len;
try to keep reverse xmas tree format
