wifi: iwlwifi: ensure we don't read SAR values past the limit

When we fill the SAR values, we read values from the BIOS store in the
firmware runtime object and write them into the command that we send to
the firmware.
We assumed that the size of the firmware command is not longer than the
BIOS tables. This has been true until now, but this is not really safe.
We will soon have an firmware API change that will increase the size of
the table in the command and we want to make sure that we don't have a
buffer overrun when we read the firmware runtime object.
Add this safety measure.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260319110722.99aaf2df072a.I5942590b81324b17e2a369f0c354cafee0f70ef5@changeid

diff --git a/drivers/net/wireless/intel/iwlwifi/fw/regulatory.c b/drivers/net/wireless/intel/iwlwifi/fw/regulatory.c
index 958e71a3c958bdb8dd8a7f78b7bb915cfb5c3c30..5793c267daf7cb9d5165677926f1411aa47c73d4 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/fw/regulatory.c
+++ b/drivers/net/wireless/intel/iwlwifi/fw/regulatory.c
@@ -241,6 +241,10 @@ static int iwl_sar_fill_table(struct iwl_fw_runtime *fwrt,
        int profs[BIOS_SAR_NUM_CHAINS] = { prof_a, prof_b };
        int i, j;
 
+       if (WARN_ON_ONCE(n_subbands >
+                        ARRAY_SIZE(fwrt->sar_profiles[0].chains[0].subbands)))
+               return -EINVAL;
+
        for (i = 0; i < BIOS_SAR_NUM_CHAINS; i++) {
                struct iwl_sar_profile *prof;