github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-05 04:56:13 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
master
linux/drivers/net/wwan/t7xx
History
Pavitra Jha 0e7c074cfc net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler 
t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as
a loop bound over port_msg->data[] without checking that the message buffer
contains sufficient data. A modem sending port_count=65535 in a 12-byte
buffer triggers a slab-out-of-bounds read of up to 262140 bytes.

Add a sizeof(*port_msg) check before accessing the port message header
fields to guard against undersized messages.

Add a struct_size() check after extracting port_count and before the loop.

In t7xx_parse_host_rt_data(), guard the rt_feature header read with a
remaining-buffer check before accessing data_len, validate feat_data_len
against the actual remaining buffer to prevent OOB reads and signed
integer overflow on offset.

Pass msg_len from both call sites: skb->len at the DPMAIF path after
skb_pull(), and the validated feat_data_len at the handshake path.

Fixes: da45d2566a ("net: wwan: t7xx: Add control port")
Cc: stable@vger.kernel.org
Signed-off-by: Pavitra Jha <jhapavitra98@gmail.com>
Link: https://patch.msgid.link/20260501110713.145563-1-jhapavitra98@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-05 19:05:11 -07:00
..
Makefile
t7xx_cldma.c net: wwan: t7xx: Split 64bit accesses to fix alignment issues 2024-03-25 19:51:57 -07:00
t7xx_cldma.h
t7xx_dpmaif.c
t7xx_dpmaif.h
t7xx_hif_cldma.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
t7xx_hif_cldma.h net: wwan: t7xx: Make local function static 2025-11-21 18:09:43 -08:00
t7xx_hif_dpmaif_rx.c net: wwan: t7xx: fix potential skb->frags overflow in RX path 2026-01-25 14:43:32 -08:00
t7xx_hif_dpmaif_rx.h
t7xx_hif_dpmaif_tx.c net: wwan: Remove redundant pm_runtime_mark_last_busy() calls 2025-10-29 18:55:56 -07:00
t7xx_hif_dpmaif_tx.h
t7xx_hif_dpmaif.c
t7xx_hif_dpmaif.h
t7xx_mhccif.c
t7xx_mhccif.h
t7xx_modem_ops.c net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler 2026-05-05 19:05:11 -07:00
t7xx_modem_ops.h net: wwan: t7xx: PCIe reset rescan 2024-08-21 12:57:24 +01:00
t7xx_netdev.c net: wwan: t7xx: Fix napi rx poll issue 2025-06-03 10:32:45 +02:00
t7xx_netdev.h net: wwan: t7xx: Un-embed dummy device 2024-04-25 19:32:31 -07:00
t7xx_pci.c net: wwan: t7xx: add support for HP DRMR-H01 2025-10-06 11:10:38 -07:00
t7xx_pci.h net: wwan: t7xx: Add debug ports 2024-11-07 13:33:45 +01:00
t7xx_pcie_mac.c net: wwan: t7xx: Split 64bit accesses to fix alignment issues 2024-03-25 19:51:57 -07:00
t7xx_pcie_mac.h
t7xx_port_ctrl_msg.c net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler 2026-05-05 19:05:11 -07:00
t7xx_port_proxy.c net: wwan: t7xx: Add debug ports 2024-11-07 13:33:45 +01:00
t7xx_port_proxy.h net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler 2026-05-05 19:05:11 -07:00
t7xx_port_trace.c relayfs: abolish prev_padding 2025-07-09 22:57:51 -07:00
t7xx_port_wwan.c net: wwan: t7xx: Add debug ports 2024-11-07 13:33:45 +01:00
t7xx_port.h net: wwan: t7xx: Add debug ports 2024-11-07 13:33:45 +01:00
t7xx_reg.h
t7xx_state_monitor.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
t7xx_state_monitor.h net: wwan: t7xx: Fix FSM command timeout issue 2024-12-30 18:00:32 -08:00