If 'idx' is 0, then 'idx2' is -1, and arrays
will be accessed by a negative index.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Igor Artemiev <[email protected]>
---
net/mac80211/rx.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index e751cda5eef6..e686380434bd 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1868,10 +1868,13 @@ ieee80211_rx_get_bigtk(struct ieee80211_rx_data *rx, int idx)
key = rcu_dereference(rx->link_sta->gtk[idx]);
if (!key)
key = rcu_dereference(rx->link->gtk[idx]);
- if (!key && rx->link_sta)
- key = rcu_dereference(rx->link_sta->gtk[idx2]);
- if (!key)
- key = rcu_dereference(rx->link->gtk[idx2]);
+
+ if (idx2 >= 0) {
+ if (!key && rx->link_sta)
+ key = rcu_dereference(rx->link_sta->gtk[idx2]);
+ if (!key)
+ key = rcu_dereference(rx->link->gtk[idx2]);
+ }
return key;
}
--
2.30.2
On 10/4/23 17:58, Johannes Berg wrote:
> And ... how exactly do you propose that is going to happen?
'conf.keyidx', the value that is passed to the function, can be 0. But I
missed checking the second argument of the ieee80211_rx_get_bigtk()
function before calling it. Sorry to bother you.
Thanks,
Igor