]>
Commit | Line | Data |
---|---|---|
1143c684 SL |
1 | From 54a037b6c83754287b645dc6414d8f139c6a5973 Mon Sep 17 00:00:00 2001 |
2 | From: Dan Carpenter <dan.carpenter@oracle.com> | |
3 | Date: Thu, 4 Apr 2019 11:44:23 +0300 | |
4 | Subject: mwifiex: prevent an array overflow | |
5 | ||
6 | [ Upstream commit b4c35c17227fe437ded17ce683a6927845f8c4a4 ] | |
7 | ||
8 | The "rate_index" is only used as an index into the phist_data->rx_rate[] | |
9 | array in the mwifiex_hist_data_set() function. That array has | |
10 | MWIFIEX_MAX_AC_RX_RATES (74) elements and it's used to generate some | |
11 | debugfs information. The "rate_index" variable comes from the network | |
12 | skb->data[] and it is a u8 so it's in the 0-255 range. We need to cap | |
13 | it to prevent an array overflow. | |
14 | ||
15 | Fixes: cbf6e05527a7 ("mwifiex: add rx histogram statistics support") | |
16 | Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> | |
17 | Signed-off-by: Kalle Valo <kvalo@codeaurora.org> | |
18 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
19 | --- | |
20 | drivers/net/wireless/mwifiex/cfp.c | 3 +++ | |
21 | 1 file changed, 3 insertions(+) | |
22 | ||
23 | diff --git a/drivers/net/wireless/mwifiex/cfp.c b/drivers/net/wireless/mwifiex/cfp.c | |
24 | index 3ddb8ec676ed3..6dd331dfb5179 100644 | |
25 | --- a/drivers/net/wireless/mwifiex/cfp.c | |
26 | +++ b/drivers/net/wireless/mwifiex/cfp.c | |
27 | @@ -533,5 +533,8 @@ u8 mwifiex_adjust_data_rate(struct mwifiex_private *priv, | |
28 | rate_index = (rx_rate > MWIFIEX_RATE_INDEX_OFDM0) ? | |
29 | rx_rate - 1 : rx_rate; | |
30 | ||
31 | + if (rate_index >= MWIFIEX_MAX_AC_RX_RATES) | |
32 | + rate_index = MWIFIEX_MAX_AC_RX_RATES - 1; | |
33 | + | |
34 | return rate_index; | |
35 | } | |
36 | -- | |
37 | 2.20.1 | |
38 |