wifi: rtw89: mcc: prevent shift wrapping in rtw89_core_mlsr_switch()

The "link_id" value comes from the user via debugfs.  If it's larger
than BITS_PER_LONG then that would result in shift wrapping and
potentially an out of bounds access later.  In fact, we can limit it
to IEEE80211_MLD_MAX_NUM_LINKS (15).

Fortunately, only root can write to debugfs files so the security
impact is minimal.

Fixes: 9dd85e739ce0 ("wifi: rtw89: debug: add mlo_mode dbgfs")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Zong-Zhe Yang <kevin_yang@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/aDbFFkX09K7FrL9h@stanley.mountain

diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c
index 49447668cbf3d6305804766fd8bf1ee6c7cdfa01..3604a8e15df06e56b2cfd0202fe068077d6a3527 100644 (file)
--- a/drivers/net/wireless/realtek/rtw89/core.c
+++ b/drivers/net/wireless/realtek/rtw89/core.c
@@ -5239,7 +5239,8 @@ int rtw89_core_mlsr_switch(struct rtw89_dev *rtwdev, struct rtw89_vif *rtwvif,
        if (unlikely(!ieee80211_vif_is_mld(vif)))
                return -EOPNOTSUPP;
 
-       if (unlikely(!(usable_links & BIT(link_id)))) {
+       if (unlikely(link_id >= IEEE80211_MLD_MAX_NUM_LINKS ||
+                    !(usable_links & BIT(link_id)))) {
                rtw89_warn(rtwdev, "%s: link id %u is not usable\n", __func__,
                           link_id);
                return -ENOLINK;