lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20250406081930.2909-1-vulab@iscas.ac.cn>
Date: Sun,  6 Apr 2025 16:19:30 +0800
From: Wentao Liang <vulab@...as.ac.cn>
To: arend.vanspriel@...adcom.com,
	kvalo@...nel.org
Cc: christophe.jaillet@...adoo.fr,
	megi@....cz,
	saikrishnag@...vell.com,
	linux-wireless@...r.kernel.org,
	brcm80211@...ts.linux.dev,
	brcm80211-dev-list.pdl@...adcom.com,
	linux-kernel@...r.kernel.org,
	Wentao Liang <vulab@...as.ac.cn>,
	stable@...r.kernel.org
Subject: [PATCH] brcm80211: fmac: Add error check for brcmf_usb_dlneeded()

The function brcmf_usb_dlneeded() calls the function brcmf_usb_dl_cmd()
but dose not check its return value. The 'id.chiprev' is uninitialized if
the function brcmf_usb_dl_cmd() fails, and may propagate to
'devinfo->bus_pub.chiprev'.

Add error handling for brcmf_usb_dl_cmd() to return the function if the
'id.chiprev' is uninitialized.

Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets")
Cc: stable@...r.kernel.org # v3.4+
Signed-off-by: Wentao Liang <vulab@...as.ac.cn>
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
index 2821c27f317e..50dddac8a2ab 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
@@ -790,6 +790,7 @@ brcmf_usb_dlneeded(struct brcmf_usbdev_info *devinfo)
 {
 	struct bootrom_id_le id;
 	u32 chipid, chiprev;
+	int err;
 
 	brcmf_dbg(USB, "Enter\n");
 
@@ -798,7 +799,11 @@ brcmf_usb_dlneeded(struct brcmf_usbdev_info *devinfo)
 
 	/* Check if firmware downloaded already by querying runtime ID */
 	id.chip = cpu_to_le32(0xDEAD);
-	brcmf_usb_dl_cmd(devinfo, DL_GETVER, &id, sizeof(id));
+	err = brcmf_usb_dl_cmd(devinfo, DL_GETVER, &id, sizeof(id));
+	if (err) {
+		brcmf_err("DL_GETID Failed\n");
+		return false;
+	}
 
 	chipid = le32_to_cpu(id.chip);
 	chiprev = le32_to_cpu(id.chiprev);
-- 
2.42.0.windows.2


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ