| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250406081930.2909-1-vulab@iscas.ac.cn>
Date: Sun, 6 Apr 2025 16:19:30 +0800
From: Wentao Liang <vulab@...as.ac.cn>
To: arend.vanspriel@...adcom.com,
kvalo@...nel.org
Cc: christophe.jaillet@...adoo.fr,
megi@....cz,
saikrishnag@...vell.com,
linux-wireless@...r.kernel.org,
brcm80211@...ts.linux.dev,
brcm80211-dev-list.pdl@...adcom.com,
linux-kernel@...r.kernel.org,
Wentao Liang <vulab@...as.ac.cn>,
stable@...r.kernel.org
Subject: [PATCH] brcm80211: fmac: Add error check for brcmf_usb_dlneeded()
The function brcmf_usb_dlneeded() calls the function brcmf_usb_dl_cmd()
but dose not check its return value. The 'id.chiprev' is uninitialized if
the function brcmf_usb_dl_cmd() fails, and may propagate to
'devinfo->bus_pub.chiprev'.
Add error handling for brcmf_usb_dl_cmd() to return the function if the
'id.chiprev' is uninitialized.
Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets")
Cc: stable@...r.kernel.org # v3.4+
Signed-off-by: Wentao Liang <vulab@...as.ac.cn>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
index 2821c27f317e..50dddac8a2ab 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
@@ -790,6 +790,7 @@ brcmf_usb_dlneeded(struct brcmf_usbdev_info *devinfo)
{
struct bootrom_id_le id;
u32 chipid, chiprev;
+ int err;
brcmf_dbg(USB, "Enter\n");
@@ -798,7 +799,11 @@ brcmf_usb_dlneeded(struct brcmf_usbdev_info *devinfo)
/* Check if firmware downloaded already by querying runtime ID */
id.chip = cpu_to_le32(0xDEAD);
- brcmf_usb_dl_cmd(devinfo, DL_GETVER, &id, sizeof(id));
+ err = brcmf_usb_dl_cmd(devinfo, DL_GETVER, &id, sizeof(id));
+ if (err) {
+ brcmf_err("DL_GETID Failed\n");
+ return false;
+ }
chipid = le32_to_cpu(id.chip);
chiprev = le32_to_cpu(id.chiprev);
--
2.42.0.windows.2
Powered by blists - more mailing lists