[PATCH] wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd()

From: Rand Deeb
Date: Wed Mar 13 2024 - 06:18:50 EST

Next message: Ulf Hansson: "Re: [RFC PATCH v2 0/8] nvmem: add block device NVMEM provider"
Previous message: Dan Carpenter: "Re: [PATCH v2] staging: bcm2835-audio: add terminating new line to Kconifg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The 'index' variable in the rs_fill_link_cmd() function can reach
LINK_QUAL_MAX_RETRY_NUM during the execution of the inner loop. This
variable is used as an index for the lq_cmd->rs_table array, which has a
size of LINK_QUAL_MAX_RETRY_NUM, without proper validation.

Modify the condition of the inner loop to ensure that the 'index' variable
does not exceed LINK_QUAL_MAX_RETRY_NUM - 1, thereby preventing any
potential overflow issues.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Rand Deeb <rand.sec96@xxxxxxxxx>
---
drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
index f4a6f76cf193..e70024525eb9 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
@@ -2904,7 +2904,7 @@ static void rs_fill_link_cmd(struct iwl_priv *priv,
/* Repeat initial/next rate.
* For legacy IWL_NUMBER_TRY == 1, this loop will not execute.
* For HT IWL_HT_NUMBER_TRY == 3, this executes twice. */
- while (repeat_rate > 0 && (index < LINK_QUAL_MAX_RETRY_NUM)) {
+ while (repeat_rate > 0 && index < (LINK_QUAL_MAX_RETRY_NUM - 1)) {
if (is_legacy(tbl_type.lq_type)) {
if (ant_toggle_cnt < NUM_TRY_BEFORE_ANT_TOGGLE)
ant_toggle_cnt++;
--
2.34.1

Next message: Ulf Hansson: "Re: [RFC PATCH v2 0/8] nvmem: add block device NVMEM provider"
Previous message: Dan Carpenter: "Re: [PATCH v2] staging: bcm2835-audio: add terminating new line to Kconifg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]