[PATCH 4.9 042/103] iwlwifi: mvm: writing zero bytes to debugfs causes a crash
From: Greg Kroah-Hartman
Date: Thu May 11 2017 - 11:11:05 EST
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
commit 251fe09f13bfb54c1ede66ee8bf8ddd0061c4f7c upstream.
This is a static analysis fix. The warning is:
drivers/net/wireless/intel/iwlwifi/mvm/fw-dbg.c:912 iwl_mvm_fw_dbg_collect()
warn: integer overflows 'sizeof(*desc) + len'
I guess this code is supposed to take a NUL character, but if we write
zero bytes then it tries to write -1 characters and crashes.
Fixes: c91b865cb14d ("iwlwifi: mvm: support description for user triggered fw dbg collection")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Signed-off-by: Luca Coelho <luciano.coelho@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
@@ -1056,6 +1056,8 @@ static ssize_t iwl_dbgfs_fw_dbg_collect_
if (ret)
return ret;
+ if (count == 0)
+ return 0;
iwl_mvm_fw_dbg_collect(mvm, FW_DBG_TRIGGER_USER, buf,
(count - 1), NULL);