wifi: iwlwifi: limit printed string from FW file

PlaidCat · PlaidCat · commit d4e35210085f · 2025-07-28T17:10:30.000-04:00
jira LE-3666 cve CVE-2025-21905 Rebuild_History Non-Buildable kernel-5.14.0-570.30.1.el9_6 commit-author Johannes Berg <johannes.berg@intel.com> commit e0dc2c1 There's no guarantee here that the file is always with a NUL-termination, so reading the string may read beyond the end of the TLV. If that's the last TLV in the file, it can perhaps even read beyond the end of the file buffer. Fix that by limiting the print format to the size of the buffer we have. Fixes: aee1b63 ("iwlwifi: support fseq tlv and print fseq version") Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com> Link: https://patch.msgid.link/20250209143303.cb5f9d0c2f5d.Idec695d53c6c2234aade306f7647b576c7e3d928@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com> (cherry picked from commit e0dc2c1) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
@@ -1197,7 +1197,7 @@ static int iwl_parse_tlv_firmware(struct iwl_drv *drv,
 
 			if (tlv_len != sizeof(*fseq_ver))
 				goto invalid_tlv_len;
-			IWL_INFO(drv, "TLV_FW_FSEQ_VERSION: %s\n",
+			IWL_INFO(drv, "TLV_FW_FSEQ_VERSION: %.32s\n",
 				 fseq_ver->version);
 			}
 			break;

Original file line number	Diff line number	Diff line change
`@@ -1197,7 +1197,7 @@ static int iwl_parse_tlv_firmware(struct iwl_drv *drv,`
`1197`	`1197`
`1198`	`1198`	`if (tlv_len != sizeof(*fseq_ver))`
`1199`	`1199`	`goto invalid_tlv_len;`
`1200`		`- IWL_INFO(drv, "TLV_FW_FSEQ_VERSION: %s\n",`
	`1200`	`+ IWL_INFO(drv, "TLV_FW_FSEQ_VERSION: %.32s\n",`
`1201`	`1201`	`fseq_ver->version);`
`1202`	`1202`	`}`
`1203`	`1203`	`break;`