From 9d8e8cd665f9c788732b1199da3967f160b5b1d7 Mon Sep 17 00:00:00 2001
From: Adrian Chadd <adrian@FreeBSD.org>
Date: Mon, 2 Dec 2013 03:42:39 +0000
Subject: [PATCH] Add some sanity checks to the TLV fetch.

Obtained from:	Linux iwlwifi
---
 sys/dev/iwn/if_iwn.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/sys/dev/iwn/if_iwn.c b/sys/dev/iwn/if_iwn.c
index e31eea973bf5..1d451470182b 100644
--- a/sys/dev/iwn/if_iwn.c
+++ b/sys/dev/iwn/if_iwn.c
@@ -7506,8 +7506,16 @@ iwn_read_firmware_tlv(struct iwn_softc *sc, struct iwn_fw_info *fw,
 			DPRINTF(sc, IWN_DEBUG_RESET,
 			    "PAN Support found: %d\n", 1);
 			break;
-		case IWN_FW_TLV_FLAGS :
-			sc->tlv_feature_flags = htole32(*ptr);
+	case IWN_FW_TLV_FLAGS:
+			if (len < sizeof(uint32_t))
+				break;
+			if (len % sizeof(uint32_t))
+				break;
+			sc->tlv_feature_flags = le32toh(*ptr);
+			DPRINTF(sc, IWN_DEBUG_RESET,
+			    "%s: feature: 0x%08x\n",
+			    __func__,
+			    sc->tlv_feature_flags);
 			break;
 		case IWN_FW_TLV_PBREQ_MAXLEN:
 		case IWN_FW_TLV_RUNT_EVTLOG_PTR: