wifi: rtw89: check path range before using in rtw89_fw_h2c_rf_ps_info()

The variable 'path' from rtw89_phy_get_syn_sel() as index of array could
be 3, but array size is 2. Fortunately, current chip->rf_path_num is
smaller or equal to 2, so it is safe. To prevent mistakes in the future,
add a checking and avoid Coverity warnings.

Addresses-Coverity-ID: linux-next: 1644716 ("Out-of-bounds write")
Addresses-Coverity-ID: linux-next: 1644717 ("Out-of-bounds write")

Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20250715035259.45061-6-pkshih@realtek.com

diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c
index d26626bed96051456c7567f31815d5178539f40f..a26465ff6a6847735b04a1492ef4dbeddd812e99 100644 (file)
--- a/drivers/net/wireless/realtek/rtw89/fw.c
+++ b/drivers/net/wireless/realtek/rtw89/fw.c
@@ -6153,7 +6153,7 @@ int rtw89_fw_h2c_rf_ps_info(struct rtw89_dev *rtwdev, struct rtw89_vif *rtwvif)
                path = rtw89_phy_get_syn_sel(rtwdev, rtwvif_link->phy_idx);
                val = rtw89_chip_chan_to_rf18_val(rtwdev, chan);
 
-               if (path >= chip->rf_path_num) {
+               if (path >= chip->rf_path_num || path >= NUM_OF_RTW89_FW_RFK_PATH) {
                        rtw89_err(rtwdev, "unsupported rf path (%d)\n", path);
                        ret = -ENOENT;
                        goto fail;