wcnss: fix integer underflow in wcnss_wlan

Fix integer underflow which may eventually results in an buffer
overread in wcnss_nvbin_dnld when the firmware file size is less
than 4 Byte. Add a check on file size before performing
arithmetic operation which avoids buffer underflow.

CRs-Fixed: 2279226
Change-Id: Ia7fdb859e8c999f8a2e81c957c7cab35ef312844
Signed-off-by: Sandeep Singh <sandsing@codeaurora.org>

diff --git a/drivers/net/wireless/wcnss/wcnss_wlan.c b/drivers/net/wireless/wcnss/wcnss_wlan.c
index 13ae5c3..b97e550 100644 (file)
--- a/drivers/net/wireless/wcnss/wcnss_wlan.c
+++ b/drivers/net/wireless/wcnss/wcnss_wlan.c
@@ -2368,6 +2368,12 @@ static void wcnss_nvbin_dnld(void)
                goto out;
        }
 
+       if (nv->size <= 4) {
+               pr_err("wcnss: %s: request_firmware failed for %s (file size = %zu)\n",
+                      __func__, NVBIN_FILE, nv->size);
+               goto out;
+       }
+
        /* First 4 bytes in nv blob is validity bitmap.
         * We cannot validate nv, so skip those 4 bytes.
         */