From: Eyal Shapira Date: Thu, 19 Nov 2015 16:37:31 +0000 (+0200) Subject: iwlwifi: mvm: rs: fix a potential out of bounds access X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=e8b3f7b6e746e5a850d243e1e11d83d2163e16e4;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git iwlwifi: mvm: rs: fix a potential out of bounds access Klocwork pointed these out. There is a theoretical possibility that rate->index might be set to IWL_RATE_INVALID (15). This could trigger an out of bounds access on ht_vht_rates or legacy_rates arrays. Fix it by adding some checks. Signed-off-by: Eyal Shapira Signed-off-by: Emmanuel Grumbach --- diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c index feb775a8223a..31b082edd29e 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c @@ -552,9 +552,10 @@ static char *rs_pretty_rate(const struct rs_rate *rate) }; const char *rate_str; - if (is_type_legacy(rate->type)) + if (is_type_legacy(rate->type) && (rate->index <= IWL_RATE_54M_INDEX)) rate_str = legacy_rates[rate->index]; - else if (is_type_ht(rate->type) || is_type_vht(rate->type)) + else if ((is_type_ht(rate->type) || is_type_vht(rate->type)) && + (rate->index <= IWL_RATE_MCS_9_INDEX)) rate_str = ht_vht_rates[rate->index]; else rate_str = "BAD_RATE";