From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Date: Mon, 19 Aug 2024 01:53:33 +0000 (+0800)
Subject: wifi: mt76: mt7925: fix a potential array-index-out-of-bounds issue for clc
X-Git-Tag: v6.10.13~86
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fb60020cb5b3ea4715e538c77e745c16516c5656;p=thirdparty%2Fkernel%2Fstable.git

wifi: mt76: mt7925: fix a potential array-index-out-of-bounds issue for clc

commit 9679ca7326e52282cc923c4d71d81c999cb6cd55 upstream.

Due to the lack of checks on the clc array, if the firmware supports
more clc configuration, it will cause illegal memory access.

Cc: stable@vger.kernel.org
Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips")
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Link: https://patch.msgid.link/20240819015334.14580-1-mingyen.hsieh@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
index 652a9accc43cc..7ec6bb5bc2767 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
@@ -613,6 +613,9 @@ static int mt7925_load_clc(struct mt792x_dev *dev, const char *fw_name)
 	for (offset = 0; offset < len; offset += le32_to_cpu(clc->len)) {
 		clc = (const struct mt7925_clc *)(clc_base + offset);
 
+		if (clc->idx > ARRAY_SIZE(phy->clc))
+			break;
+
 		/* do not init buf again if chip reset triggered */
 		if (phy->clc[clc->idx])
 			continue;