summaryrefslogtreecommitdiff
path: root/drivers/net/wireless/mediatek
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2020-07-09 14:04:35 +0300
committerFelix Fietkau <nbd@nbd.name>2020-07-21 19:01:18 +0200
commiteb744e5df86cf7e377d0acc4e686101b0fd9663a (patch)
tree5aced7349636451cb61e0cb41c770d0c381a6ba3 /drivers/net/wireless/mediatek
parent9248c08c3fc4ef816c82aa49d01123f4746d349f (diff)
mt76: mt7915: potential array overflow in mt7915_mcu_tx_rate_report()
Smatch complains that "wcidx" value comes from the network and thus cannot be trusted. In this case, it actually seems to come from the firmware. If your wireless firmware is malicious then probably no amount of carefulness can protect you. On the other hand, these days we still try to check the firmware as much as possible. Verifying that the index is within bounds will silence a static checker warning. And it's harmless and a good exercise in kernel hardening. So I suggest that we do add a bounds check. Fixes: e57b7901469f ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Diffstat (limited to 'drivers/net/wireless/mediatek')
-rw-r--r--drivers/net/wireless/mediatek/mt76/mt7915/mcu.c19
1 files changed, 13 insertions, 6 deletions
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
index fa9f32fa9f2e..93b1439e147b 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
@@ -505,15 +505,22 @@ static void
mt7915_mcu_tx_rate_report(struct mt7915_dev *dev, struct sk_buff *skb)
{
struct mt7915_mcu_ra_info *ra = (struct mt7915_mcu_ra_info *)skb->data;
- u16 wcidx = le16_to_cpu(ra->wlan_idx);
- struct mt76_wcid *wcid = rcu_dereference(dev->mt76.wcid[wcidx]);
- struct mt7915_sta *msta = container_of(wcid, struct mt7915_sta, wcid);
- struct mt7915_sta_stats *stats = &msta->stats;
- struct mt76_phy *mphy = &dev->mphy;
struct rate_info rate = {}, prob_rate = {};
+ u16 probe = le16_to_cpu(ra->prob_up_rate);
u16 attempts = le16_to_cpu(ra->attempts);
u16 curr = le16_to_cpu(ra->curr_rate);
- u16 probe = le16_to_cpu(ra->prob_up_rate);
+ u16 wcidx = le16_to_cpu(ra->wlan_idx);
+ struct mt76_phy *mphy = &dev->mphy;
+ struct mt7915_sta_stats *stats;
+ struct mt7915_sta *msta;
+ struct mt76_wcid *wcid;
+
+ if (wcidx >= MT76_N_WCIDS)
+ return;
+
+ wcid = rcu_dereference(dev->mt76.wcid[wcidx]);
+ msta = container_of(wcid, struct mt7915_sta, wcid);
+ stats = &msta->stats;
if (msta->wcid.ext_phy && dev->mt76.phy2)
mphy = dev->mt76.phy2;