[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20240313101755.269209-1-rand.sec96@gmail.com>
Date: Wed, 13 Mar 2024 13:17:55 +0300
From: Rand Deeb <rand.sec96@...il.com>
To: Miri Korenblit <miriam.rachel.korenblit@...el.com>,
Kalle Valo <kvalo@...nel.org>,
Johannes Berg <johannes.berg@...el.com>,
Gregory Greenman <gregory.greenman@...el.com>,
Anjaneyulu <pagadala.yesu.anjaneyulu@...el.com>,
Dmitry Antipov <dmantipov@...dex.ru>,
linux-wireless@...r.kernel.org,
linux-kernel@...r.kernel.org
Cc: deeb.rand@...fident.ru,
lvc-project@...uxtesting.org,
voskresenski.stanislav@...fident.ru,
khoroshilov@...ras.ru,
Rand Deeb <rand.sec96@...il.com>
Subject: [PATCH] wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd()
The 'index' variable in the rs_fill_link_cmd() function can reach
LINK_QUAL_MAX_RETRY_NUM during the execution of the inner loop. This
variable is used as an index for the lq_cmd->rs_table array, which has a
size of LINK_QUAL_MAX_RETRY_NUM, without proper validation.
Modify the condition of the inner loop to ensure that the 'index' variable
does not exceed LINK_QUAL_MAX_RETRY_NUM - 1, thereby preventing any
potential overflow issues.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Rand Deeb <rand.sec96@...il.com>
---
drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
index f4a6f76cf193..e70024525eb9 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
@@ -2904,7 +2904,7 @@ static void rs_fill_link_cmd(struct iwl_priv *priv,
/* Repeat initial/next rate.
* For legacy IWL_NUMBER_TRY == 1, this loop will not execute.
* For HT IWL_HT_NUMBER_TRY == 3, this executes twice. */
- while (repeat_rate > 0 && (index < LINK_QUAL_MAX_RETRY_NUM)) {
+ while (repeat_rate > 0 && index < (LINK_QUAL_MAX_RETRY_NUM - 1)) {
if (is_legacy(tbl_type.lq_type)) {
if (ant_toggle_cnt < NUM_TRY_BEFORE_ANT_TOGGLE)
ant_toggle_cnt++;
--
2.34.1
Powered by blists - more mailing lists