diff options
| author |   Dan Carpenter <dan.carpenter@oracle.com> | 2017-12-29 16:31:03 +0800 |
|---|---|---|
| committer |   Kalle Valo <kvalo@codeaurora.org> | 2018-01-08 19:07:41 +0200 |
| commit | 5e0c1f0503cf79a04896875f59f82b73f9d754d4 (patch) | |
| tree | 3bc61c479d62d782300862c69bc364377d9fd3e5 /drivers/net/wireless/realtek/rtlwifi/base.c | |
| parent | MAINTAINERS: Change maintainer for rtlwifi (diff) | |
| download | linux-dev-5e0c1f0503cf79a04896875f59f82b73f9d754d4.tar.xz linux-dev-5e0c1f0503cf79a04896875f59f82b73f9d754d4.zip | |
rtlwifi: check for array overflow
This is merged by Ping-Ke Shih from commit dc33bd4309d2 ("staging:
rtlwifi: check for array overflow"), and the original commit log is
reserved below.
Smatch is distrustful of the "capab" value and marks it as user
controlled. I think it actually comes from the firmware? Anyway, I
looked at other drivers and they added a bounds check and it seems like
a harmless thing to have so I have added it here as well.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Diffstat (limited to 'drivers/net/wireless/realtek/rtlwifi/base.c')
| -rw-r--r-- | drivers/net/wireless/realtek/rtlwifi/base.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c index 704741d6f495..2052e0e5e083 100644 --- a/drivers/net/wireless/realtek/rtlwifi/base.c +++ b/drivers/net/wireless/realtek/rtlwifi/base.c @@ -1321,6 +1321,10 @@ bool rtl_action_proc(struct ieee80211_hw *hw, struct sk_buff *skb, u8 is_tx) le16_to_cpu(mgmt->u.action.u.addba_req.capab); tid = (capab & IEEE80211_ADDBA_PARAM_TID_MASK) >> 2; + if (tid >= MAX_TID_COUNT) { + rcu_read_unlock(); + return true; + } tid_data = &sta_entry->tids[tid]; if (tid_data->agg.rx_agg_state == RTL_RX_AGG_START) |