ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb()

[ Upstream commit 2705cd7558e718a7240c64eb0afb2edad5f8c190 ]

The value of "htc_hdr->endpoint_id" comes from skb->data so Smatch marks
it as untrusted so we have to check it before using it as an array
offset.

This is similar to a bug that syzkaller found in commit e4ff08a4d727
("ath9k: Fix use-after-free Write in ath9k_htc_rx_msg") so it is
probably a real issue.

Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200813141253.GA457408@mwanda
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index f705f0e1cb5bed8b3139ba2e55b0e39b725e2fa3..05fca38b38ed4453bae265e1afe1f0e68d63591b 100644 (file)
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -342,6 +342,8 @@ void ath9k_htc_txcompletion_cb(struct htc_target *htc_handle,
 
        if (skb) {
                htc_hdr = (struct htc_frame_hdr *) skb->data;
+               if (htc_hdr->endpoint_id >= ARRAY_SIZE(htc_handle->endpoint))
+                       goto ret;
                endpoint = &htc_handle->endpoint[htc_hdr->endpoint_id];
                skb_pull(skb, sizeof(struct htc_frame_hdr));