Fix integer overflows in iwm(4) and iwx(4) firmware file parsers.

Found by hshoexer and gerhard@, and reported to me by Christian Ehrhardt.

ok gerhard@

2 files changed, 19 insertions, 3 deletions

diff --git a/sys/dev/pci/if_iwm.c b/sys/dev/pci/if_iwm.c
index 0bc32b52e41..b7d37d7182e 100644
--- a/sys/dev/pci/if_iwm.c
+++ b/sys/dev/pci/if_iwm.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_iwm.c,v 1.403 2022/07/11 11:28:37 stsp Exp $	*/
+/*	$OpenBSD: if_iwm.c,v 1.404 2022/08/29 17:59:12 stsp Exp $	*/
 
 /*
  * Copyright (c) 2014, 2016 genua gmbh <info@genua.de>
@@ -1015,6 +1015,13 @@ iwm_read_firmware(struct iwm_softc *sc)
 			goto parse_out;
 		}
 
+		/*
+		 * Check for size_t overflow and ignore missing padding at
+		 * end of firmware file.
+		 */
+		if (roundup(tlv_len, 4) > len)
+			break;
+
 		len -= roundup(tlv_len, 4);
 		data += roundup(tlv_len, 4);
 	}
diff --git a/sys/dev/pci/if_iwx.c b/sys/dev/pci/if_iwx.c
index 9497ddbe2e6..f4dc3de32d8 100644
--- a/sys/dev/pci/if_iwx.c
+++ b/sys/dev/pci/if_iwx.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_iwx.c,v 1.149 2022/05/14 05:42:39 stsp Exp $	*/
+/*	$OpenBSD: if_iwx.c,v 1.150 2022/08/29 17:59:12 stsp Exp $	*/
 
 /*
  * Copyright (c) 2014, 2016 genua gmbh <info@genua.de>
@@ -1566,6 +1566,13 @@ iwx_read_firmware(struct iwx_softc *sc)
 			goto parse_out;
 		}
 
+		/*
+		 * Check for size_t overflow and ignore missing padding at
+		 * end of firmware file.
+		 */
+		if (roundup(tlv_len, 4) > len)
+			break;
+
 		len -= roundup(tlv_len, 4);
 		data += roundup(tlv_len, 4);
 	}
@@ -3986,6 +3993,8 @@ iwx_pnvm_handle_section(struct iwx_softc *sc, const uint8_t *data,
 			break;
 		}
 
+		if (roundup(tlv_len, 4) > len)
+			break;
 		len -= roundup(tlv_len, 4);
 		data += roundup(tlv_len, 4);
 	}
@@ -4024,7 +4033,7 @@ iwx_pnvm_parse(struct iwx_softc *sc, const uint8_t *data, size_t len)
 		tlv_len = le32toh(tlv->length);
 		tlv_type = le32toh(tlv->type);
 
-		if (len < tlv_len)
+		if (len < tlv_len || roundup(tlv_len, 4) > len)
 			return EINVAL;
 
 		if (tlv_type == IWX_UCODE_TLV_PNVM_SKU) {