Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp2815282rwb; Mon, 15 Aug 2022 11:55:03 -0700 (PDT) X-Google-Smtp-Source: AA6agR50UNtUCFFp94AvDqBcfZVfAJD9D5yHwsYiq2DPaB1z5i1JNrDp1ySolLjK2NM4V69jMzq7 X-Received: by 2002:a17:907:6eaa:b0:730:9fb6:41a5 with SMTP id sh42-20020a1709076eaa00b007309fb641a5mr11100766ejc.675.1660589703078; Mon, 15 Aug 2022 11:55:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660589703; cv=none; d=google.com; s=arc-20160816; b=Oyb2CKTkWmwhyg+j8uVneYbWa9uN5jtYe6isi9LFvgLOVy57iNpruhTcoqTrwKoA/9 lcXOERo4VdFzs+xeMbNPX2GL/1GbeD/gbJW1lAem0Jn7kH5LjCO6JmgDiaUkiwziugz8 IxNtgh0WRVnftbkK8IivJ5Vzje497G1cuffn6JdFHIoKpl7SorSvDQG2wMraIwfNhLu4 fOiE/Dueel88uqda0tmMPCDk7gHrDnE1ay90g0LeuuwY3zSfds0THPWkoh9o5pcpQz1F XYOC7vCtK9I/kbWRif9detrjTPhAOWM9vY7VtGwTkoYikKWkufM3NFezlWciGX4qjsXY uwdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=IWxNPDBWOzEEivY4eEjmI85rgHooJbhYr7gX3pMA49U=; b=XijJ56LXjvZaxtF5IVVrEKfEF+U3Gx6e4iCKc/fX+0PJVsdCqvX+v+9Igj8b7sBH7L xyNursrBVfGAnr9hYJOBp4FtwaHbbW7KsqTMzwIGwxBl+cbV0RrUMQYXo4UBZ4Z3e7Iv apUzpkXc4a5Fx/T2x1NJXO9381Mizhra2qk4h/SZstBKyllIbZLwShbW5SiZZI8jMzob r6+BxxuzHlTmg61s3CBXwcWD27fidHK+fLSVMbX6H5ikU4kiT0vRrG4BnbHnluDwthC2 bFD97tY8ir0menlUDRL95BFcNlb74gdtSLBPyv02OI5E6OpbhWiEQjsLHKCGIM+1j6oH 79XA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=XiGvHBRp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q8-20020a056402518800b0043a64ab539bsi9493197edd.60.2022.08.15.11.54.35; Mon, 15 Aug 2022 11:55:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=XiGvHBRp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233255AbiHOSuS (ORCPT + 99 others); Mon, 15 Aug 2022 14:50:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49684 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243824AbiHOSpp (ORCPT ); Mon, 15 Aug 2022 14:45:45 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1E3C030F7A; Mon, 15 Aug 2022 11:27:34 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id CBBB960FB8; Mon, 15 Aug 2022 18:27:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BA007C433C1; Mon, 15 Aug 2022 18:27:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660588053; bh=C+7qbxZDcsHmioA8hGAKIIf6AxtRN3IaVwqqKwIMSR0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XiGvHBRpsN5dnHi63w+LLQbJ2tWhqgzA1Z9jN5IfD2+SPcOacDfNceumuAymGTkTi N4+/gSVPV8Pkt5tWF1FqRGJuM6kU3Ue7vqDOH14vdeR4or3A3WpQC4ivQLYazeaTmB 9aQUCfnEzpl8bDspAbPXyV2NTt3qp1QrH4vLTZ8Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alexey Kodanev , Kalle Valo , Sasha Levin Subject: [PATCH 5.15 280/779] wifi: iwlegacy: 4965: fix potential off-by-one overflow in il4965_rs_fill_link_cmd() Date: Mon, 15 Aug 2022 19:58:44 +0200 Message-Id: <20220815180349.281891910@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220815180337.130757997@linuxfoundation.org> References: <20220815180337.130757997@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alexey Kodanev [ Upstream commit a8eb8e6f7159c7c20c0ddac428bde3d110890aa7 ] As a result of the execution of the inner while loop, the value of 'idx' can be equal to LINK_QUAL_MAX_RETRY_NUM. However, this is not checked after the loop and 'idx' is used to write the LINK_QUAL_MAX_RETRY_NUM size array 'lq_cmd->rs_table[idx]' below in the outer loop. The fix is to check the new value of 'idx' inside the nested loop, and break both loops if index equals the size. Checking it at the start is now pointless, so let's remove it. Detected using the static analysis tool - Svace. Fixes: be663ab67077 ("iwlwifi: split the drivers for agn and legacy devices 3945/4965") Signed-off-by: Alexey Kodanev Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220608171614.28891-1-aleksei.kodanev@bell-sw.com Signed-off-by: Sasha Levin --- drivers/net/wireless/intel/iwlegacy/4965-rs.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlegacy/4965-rs.c b/drivers/net/wireless/intel/iwlegacy/4965-rs.c index 9a491e5db75b..532e3b91777d 100644 --- a/drivers/net/wireless/intel/iwlegacy/4965-rs.c +++ b/drivers/net/wireless/intel/iwlegacy/4965-rs.c @@ -2403,7 +2403,7 @@ il4965_rs_fill_link_cmd(struct il_priv *il, struct il_lq_sta *lq_sta, /* Repeat initial/next rate. * For legacy IL_NUMBER_TRY == 1, this loop will not execute. * For HT IL_HT_NUMBER_TRY == 3, this executes twice. */ - while (repeat_rate > 0 && idx < LINK_QUAL_MAX_RETRY_NUM) { + while (repeat_rate > 0) { if (is_legacy(tbl_type.lq_type)) { if (ant_toggle_cnt < NUM_TRY_BEFORE_ANT_TOGGLE) ant_toggle_cnt++; @@ -2422,6 +2422,8 @@ il4965_rs_fill_link_cmd(struct il_priv *il, struct il_lq_sta *lq_sta, cpu_to_le32(new_rate); repeat_rate--; idx++; + if (idx >= LINK_QUAL_MAX_RETRY_NUM) + goto out; } il4965_rs_get_tbl_info_from_mcs(new_rate, lq_sta->band, @@ -2466,6 +2468,7 @@ il4965_rs_fill_link_cmd(struct il_priv *il, struct il_lq_sta *lq_sta, repeat_rate--; } +out: lq_cmd->agg_params.agg_frame_cnt_limit = LINK_QUAL_AGG_FRAME_LIMIT_DEF; lq_cmd->agg_params.agg_dis_start_th = LINK_QUAL_AGG_DISABLE_START_DEF; -- 2.35.1