diff options
| author | Stefan Sperling <stsp@cvs.openbsd.org> | 2022-08-29 17:59:13 +0000 |
|---|---|---|
| committer | Stefan Sperling <stsp@cvs.openbsd.org> | 2022-08-29 17:59:13 +0000 |
| commit | 47b0cf71a50b0690ad6b50f4cb09bc4db0520792 (patch) | |
| tree | 4db88501ebf0b0e1ba56d4aeb6efad586f5895f3 /sys/dev/pci/if_iwm.c | |
| parent | fb2fa9d3d3da856d587cc82d76cf2f517ac88269 (diff) | |
Fix integer overflows in iwm(4) and iwx(4) firmware file parsers.
Found by hshoexer and gerhard@, and reported to me by Christian Ehrhardt.
ok gerhard@
Diffstat (limited to 'sys/dev/pci/if_iwm.c')
| -rw-r--r-- | sys/dev/pci/if_iwm.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/sys/dev/pci/if_iwm.c b/sys/dev/pci/if_iwm.c index 0bc32b52e41..b7d37d7182e 100644 --- a/sys/dev/pci/if_iwm.c +++ b/sys/dev/pci/if_iwm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_iwm.c,v 1.403 2022/07/11 11:28:37 stsp Exp $ */ +/* $OpenBSD: if_iwm.c,v 1.404 2022/08/29 17:59:12 stsp Exp $ */ /* * Copyright (c) 2014, 2016 genua gmbh <info@genua.de> @@ -1015,6 +1015,13 @@ iwm_read_firmware(struct iwm_softc *sc) goto parse_out; } + /* + * Check for size_t overflow and ignore missing padding at + * end of firmware file. + */ + if (roundup(tlv_len, 4) > len) + break; + len -= roundup(tlv_len, 4); data += roundup(tlv_len, 4); } |