From: Ping-Ke Shih Date: Tue, 15 Jul 2025 03:52:59 +0000 (+0800) Subject: wifi: rtw89: check path range before using in rtw89_fw_h2c_rf_ps_info() X-Git-Tag: v6.17-rc1~126^2~34^2~50^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b4a0277388137ac31728ee69d9e388a0fa52287;p=thirdparty%2Flinux.git wifi: rtw89: check path range before using in rtw89_fw_h2c_rf_ps_info() The variable 'path' from rtw89_phy_get_syn_sel() as index of array could be 3, but array size is 2. Fortunately, current chip->rf_path_num is smaller or equal to 2, so it is safe. To prevent mistakes in the future, add a checking and avoid Coverity warnings. Addresses-Coverity-ID: linux-next: 1644716 ("Out-of-bounds write") Addresses-Coverity-ID: linux-next: 1644717 ("Out-of-bounds write") Signed-off-by: Ping-Ke Shih Link: https://patch.msgid.link/20250715035259.45061-6-pkshih@realtek.com --- diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c index d26626bed9605..a26465ff6a684 100644 --- a/drivers/net/wireless/realtek/rtw89/fw.c +++ b/drivers/net/wireless/realtek/rtw89/fw.c @@ -6153,7 +6153,7 @@ int rtw89_fw_h2c_rf_ps_info(struct rtw89_dev *rtwdev, struct rtw89_vif *rtwvif) path = rtw89_phy_get_syn_sel(rtwdev, rtwvif_link->phy_idx); val = rtw89_chip_chan_to_rf18_val(rtwdev, chan); - if (path >= chip->rf_path_num) { + if (path >= chip->rf_path_num || path >= NUM_OF_RTW89_FW_RFK_PATH) { rtw89_err(rtwdev, "unsupported rf path (%d)\n", path); ret = -ENOENT; goto fail;