wifi: mt76: mt7925: fix a potential array-index-out-of-bounds issue for clc

commit 9679ca7326e52282cc923c4d71d81c999cb6cd55 upstream.

Due to the lack of checks on the clc array, if the firmware supports
more clc configuration, it will cause illegal memory access.

Cc: stable@vger.kernel.org
Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips")
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Link: https://patch.msgid.link/20240819015334.14580-1-mingyen.hsieh@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
index 9dc22fbe25d3350875874f55d9d8ee8b384a1789..c6c380571fd86f34a727b67b7839e7186e68b988 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
@@ -638,6 +638,9 @@ static int mt7925_load_clc(struct mt792x_dev *dev, const char *fw_name)
        for (offset = 0; offset < len; offset += le32_to_cpu(clc->len)) {
                clc = (const struct mt7925_clc *)(clc_base + offset);
 
+               if (clc->idx > ARRAY_SIZE(phy->clc))
+                       break;
+
                /* do not init buf again if chip reset triggered */
                if (phy->clc[clc->idx])
                        continue;