Re: [PATCH] net: ath10k: fix memcpy size from untrusted input

Zekun Shen wrote: > A compromized ath10k peripheral is able to control the size argument > of memcpy in ath10k_pci_hif_exchange_bmi_msg. > > The min result from previous line is not used as the size argument > for memcpy. Instead, xfer.resp_len comes from untrusted stream dma > input. The value

[PATCH] net: ath10k: fix memcpy size from untrusted input

A compromized ath10k peripheral is able to control the size argument of memcpy in ath10k_pci_hif_exchange_bmi_msg. The min result from previous line is not used as the size argument for memcpy. Instead, xfer.resp_len comes from untrusted stream dma input. The value comes from "nbytes" in ath10k_pc