diff options
| author |   Dan Carpenter <dan.carpenter@oracle.com> | 2017-08-24 13:08:32 +0300 |
|---|---|---|
| committer |   Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-08-28 10:16:57 +0200 |
| commit | dc33bd4309d2e51950904e8d8f1d333a429c3371 (patch) | |
| tree | 98dce418941ff296fb2797240140ed1d4fe5899c /drivers/staging/rtlwifi | |
| parent | staging:rtl8188eu:core Fix add spaces around & (diff) | |
| download | linux-dev-dc33bd4309d2e51950904e8d8f1d333a429c3371.tar.xz linux-dev-dc33bd4309d2e51950904e8d8f1d333a429c3371.zip | |
staging: rtlwifi: check for array overflow
Smatch is distrustful of the "capab" value and marks it as user
controlled. I think it actually comes from the firmware? Anyway, I
looked at other drivers and they added a bounds check and it seems like
a harmless thing to have so I have added it here as well.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/staging/rtlwifi')
| -rw-r--r-- | drivers/staging/rtlwifi/base.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/staging/rtlwifi/base.c b/drivers/staging/rtlwifi/base.c index b81f0a943eb4..9a045c7d020c 100644 --- a/drivers/staging/rtlwifi/base.c +++ b/drivers/staging/rtlwifi/base.c @@ -1414,6 +1414,10 @@ bool rtl_action_proc(struct ieee80211_hw *hw, struct sk_buff *skb, u8 is_tx) le16_to_cpu(mgmt->u.action.u.addba_req.capab); tid = (capab & IEEE80211_ADDBA_PARAM_TID_MASK) >> 2; + if (tid >= MAX_TID_COUNT) { + rcu_read_unlock(); + return true; + } tid_data = &sta_entry->tids[tid]; if (tid_data->agg.rx_agg_state == RTL_RX_AGG_START) |