From: Emmanuel Grumbach Date: Thu, 19 Mar 2026 09:09:14 +0000 (+0200) Subject: wifi: iwlwifi: ensure we don't read SAR values past the limit X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=07c82a4e5beed28a9d2f69bc687a4668ca2754c4;p=thirdparty%2Fkernel%2Flinux.git wifi: iwlwifi: ensure we don't read SAR values past the limit When we fill the SAR values, we read values from the BIOS store in the firmware runtime object and write them into the command that we send to the firmware. We assumed that the size of the firmware command is not longer than the BIOS tables. This has been true until now, but this is not really safe. We will soon have an firmware API change that will increase the size of the table in the command and we want to make sure that we don't have a buffer overrun when we read the firmware runtime object. Add this safety measure. Signed-off-by: Emmanuel Grumbach Signed-off-by: Miri Korenblit Link: https://patch.msgid.link/20260319110722.99aaf2df072a.I5942590b81324b17e2a369f0c354cafee0f70ef5@changeid --- diff --git a/drivers/net/wireless/intel/iwlwifi/fw/regulatory.c b/drivers/net/wireless/intel/iwlwifi/fw/regulatory.c index 958e71a3c958b..5793c267daf7c 100644 --- a/drivers/net/wireless/intel/iwlwifi/fw/regulatory.c +++ b/drivers/net/wireless/intel/iwlwifi/fw/regulatory.c @@ -241,6 +241,10 @@ static int iwl_sar_fill_table(struct iwl_fw_runtime *fwrt, int profs[BIOS_SAR_NUM_CHAINS] = { prof_a, prof_b }; int i, j; + if (WARN_ON_ONCE(n_subbands > + ARRAY_SIZE(fwrt->sar_profiles[0].chains[0].subbands))) + return -EINVAL; + for (i = 0; i < BIOS_SAR_NUM_CHAINS; i++) { struct iwl_sar_profile *prof;