From 5bad01206d00b2bf52f78bb78c46c82130c7b2c6 Mon Sep 17 00:00:00 2001
From: Sandeep Singh <sandsing@codeaurora.org>
Date: Thu, 4 Oct 2018 15:53:23 +0530
Subject: [PATCH] wcnss: fix integer underflow in wcnss_wlan

Fix integer underflow which may eventually results in an buffer
overread in wcnss_nvbin_dnld when the firmware file size is less
than 4 Byte. Add a check on file size before performing
arithmetic operation which avoids buffer underflow.

CRs-Fixed: 2279226
Change-Id: Ia7fdb859e8c999f8a2e81c957c7cab35ef312844
Signed-off-by: Sandeep Singh <sandsing@codeaurora.org>
---
 drivers/net/wireless/wcnss/wcnss_wlan.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/wireless/wcnss/wcnss_wlan.c b/drivers/net/wireless/wcnss/wcnss_wlan.c
index 13ae5c3c2471..b97e550cba5d 100644
--- a/drivers/net/wireless/wcnss/wcnss_wlan.c
+++ b/drivers/net/wireless/wcnss/wcnss_wlan.c
@@ -2368,6 +2368,12 @@ static void wcnss_nvbin_dnld(void)
 		goto out;
 	}
 
+	if (nv->size <= 4) {
+		pr_err("wcnss: %s: request_firmware failed for %s (file size = %zu)\n",
+		       __func__, NVBIN_FILE, nv->size);
+		goto out;
+	}
+
 	/* First 4 bytes in nv blob is validity bitmap.
 	 * We cannot validate nv, so skip those 4 bytes.
 	 */
-- 
2.11.0