[thirdparty/kernel/stable-queue.git] / queue-4.4 / mwifiex-prevent-an-array-overflow.patch

From 54a037b6c83754287b645dc6414d8f139c6a5973 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu, 4 Apr 2019 11:44:23 +0300
Subject: mwifiex: prevent an array overflow

[ Upstream commit b4c35c17227fe437ded17ce683a6927845f8c4a4 ]

The "rate_index" is only used as an index into the phist_data->rx_rate[]
array in the mwifiex_hist_data_set() function.  That array has
MWIFIEX_MAX_AC_RX_RATES (74) elements and it's used to generate some
debugfs information.  The "rate_index" variable comes from the network
skb->data[] and it is a u8 so it's in the 0-255 range.  We need to cap
it to prevent an array overflow.

Fixes: cbf6e05527a7 ("mwifiex: add rx histogram statistics support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/mwifiex/cfp.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/wireless/mwifiex/cfp.c b/drivers/net/wireless/mwifiex/cfp.c
index 3ddb8ec676ed3..6dd331dfb5179 100644
--- a/drivers/net/wireless/mwifiex/cfp.c
+++ b/drivers/net/wireless/mwifiex/cfp.c
@@ -533,5 +533,8 @@ u8 mwifiex_adjust_data_rate(struct mwifiex_private *priv,
 		rate_index = (rx_rate > MWIFIEX_RATE_INDEX_OFDM0) ?
 			      rx_rate - 1 : rx_rate;
 
+	if (rate_index >= MWIFIEX_MAX_AC_RX_RATES)
+		rate_index = MWIFIEX_MAX_AC_RX_RATES - 1;
+
 	return rate_index;
 }
-- 
2.20.1
Commit	Line	Data
1143c684 SL	1	From 54a037b6c83754287b645dc6414d8f139c6a5973 Mon Sep 17 00:00:00 2001
	2	From: Dan Carpenter <dan.carpenter@oracle.com>
	3	Date: Thu, 4 Apr 2019 11:44:23 +0300
	4	Subject: mwifiex: prevent an array overflow
	5
	6	[ Upstream commit b4c35c17227fe437ded17ce683a6927845f8c4a4 ]
	7
	8	The "rate_index" is only used as an index into the phist_data->rx_rate[]
	9	array in the mwifiex_hist_data_set() function. That array has
	10	MWIFIEX_MAX_AC_RX_RATES (74) elements and it's used to generate some
	11	debugfs information. The "rate_index" variable comes from the network
	12	skb->data[] and it is a u8 so it's in the 0-255 range. We need to cap
	13	it to prevent an array overflow.
	14
	15	Fixes: cbf6e05527a7 ("mwifiex: add rx histogram statistics support")
	16	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
	17	Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
	18	Signed-off-by: Sasha Levin <sashal@kernel.org>
	19	---
	20	drivers/net/wireless/mwifiex/cfp.c \| 3 +++
	21	1 file changed, 3 insertions(+)
	22
	23	diff --git a/drivers/net/wireless/mwifiex/cfp.c b/drivers/net/wireless/mwifiex/cfp.c
	24	index 3ddb8ec676ed3..6dd331dfb5179 100644
	25	--- a/drivers/net/wireless/mwifiex/cfp.c
	26	+++ b/drivers/net/wireless/mwifiex/cfp.c
	27	@@ -533,5 +533,8 @@ u8 mwifiex_adjust_data_rate(struct mwifiex_private *priv,
	28	rate_index = (rx_rate > MWIFIEX_RATE_INDEX_OFDM0) ?
	29	rx_rate - 1 : rx_rate;
	30
	31	+ if (rate_index >= MWIFIEX_MAX_AC_RX_RATES)
	32	+ rate_index = MWIFIEX_MAX_AC_RX_RATES - 1;
	33	+
	34	return rate_index;
	35	}
	36	--
	37	2.20.1
	38