On Tue, Apr 30, 2024 at 07:07:39PM +0200, Johan Hovold wrote:
Add the missing sanity checks when parsing the firmware files before downloading them to avoid accessing and corrupting memory beyond the vmalloced buffer.
Fixes: 83e81961ff7e ("Bluetooth: btqca: Introduce generic QCA ROME support") Cc: stable@vger.kernel.org # 4.10 Signed-off-by: Johan Hovold johan+linaro@kernel.org
drivers/bluetooth/btqca.c | 38 ++++++++++++++++++++++++++++++++------ 1 file changed, 32 insertions(+), 6 deletions(-)
static int qca_tlv_send_segment(struct hci_dev *hdev, int seg_size, @@ -532,7 +556,9 @@ static int qca_download_firmware(struct hci_dev *hdev, memcpy(data, fw->data, size); release_firmware(fw);
- qca_tlv_check_data(hdev, config, data, soc_type);
- ret = qca_tlv_check_data(hdev, config, data, size, soc_type);
- if (ret)
return ret;
Bah, I realised late last night that I had forgotten to fix this error path before posting v2. This was supposed to say
goto out;
to make sure the firmware buffer is released in case we ever encounter malformed firmware.
I'll send a follow-up patch.
Johan