iwlwifi: pnvm: don't kmemdup() more than we have

We shouldn't kmemdup() more data than we have, that might
cause the code to crash. Fix that by updating the length
before the kmemdup.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/iwlwifi.20211016114029.ab0e64c3fba9.Ic6a3295fc384750b51b4270bf0b7d94984a139f2@changeid

diff --git a/drivers/net/wireless/intel/iwlwifi/fw/pnvm.c b/drivers/net/wireless/intel/iwlwifi/fw/pnvm.c
index dde22bd..9b0eee5 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/fw/pnvm.c
+++ b/drivers/net/wireless/intel/iwlwifi/fw/pnvm.c
@@ -284,16 +284,15 @@ int iwl_pnvm_load(struct iwl_trans *trans,
        /* First attempt to get the PNVM from BIOS */
        package = iwl_uefi_get_pnvm(trans, &len);
        if (!IS_ERR_OR_NULL(package)) {
+               /* we need only the data */
+               len -= sizeof(*package);
                data = kmemdup(package->data, len, GFP_KERNEL);
 
                /* free package regardless of whether kmemdup succeeded */
                kfree(package);
 
-               if (data) {
-                       /* we need only the data size */
-                       len -= sizeof(*package);
+               if (data)
                        goto parse;
-               }
        }
 
        /* If it's not available, try from the filesystem */