Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp3087238rwb; Mon, 15 Aug 2022 17:49:08 -0700 (PDT) X-Google-Smtp-Source: AA6agR5NBmHKKYY7dyYfRazi3ZuaqdfP7FWuWRpgfAyWzAVPfVhwVYyF3TOQJAUxrk0QYy+M16vv X-Received: by 2002:a05:6402:51c6:b0:43d:dd3a:196e with SMTP id r6-20020a05640251c600b0043ddd3a196emr16596484edd.213.1660610948401; Mon, 15 Aug 2022 17:49:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660610948; cv=none; d=google.com; s=arc-20160816; b=WEMK5iKkSaAA/vLEqiYCeE6kp3X4uvOixHKyiZv+dhtq4Hi39gdnZfHNFo9uQJOrAO tYObe6iKFiejzWJJqBWCGdpe70utd33APXRyeZM44CIUT0kEHCaIkOyX2bCv7Xk4wjTx +EiOv0tz/W09FQNvWdGfPSHwvpctAFZxc3F3hjW/9B+eMAtTbBjzDOIV04w1fnM9gEnb bulko8nF3A3rpFDPugXvAvGkzDY8Slx1a8cfALsw+xZr8hqEmpgyJfRzbWPNFIlDiJsP wOFplRk18vYDPzF3a9sW0iF+iD6GEYy/JQYnXJRX5ZDaWWMkVHJMMi4JRq0gtBBSGXVg OpCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=pH8ofyBniuxowUOM6NKoqaaD3kKMipbmQrzFT/J7zCU=; b=lIHflG9y4hKDYL3XN8ujVNrDLhRVV9Zjcm2Llv7C8OhTD6bQxFPfVJLEOj2Bh4sC0F 3WsBQWg3tJExc1ZmAONNN5Vw5WIIy2//0INZ6M21UIfzAhWdkKuASntw4ci31KC65hhZ 1EnP0lavxLf/Rn4UmvpRWq040wg8MDBfRlIjy/wlZYNMzjzzFdFghK6omdNc0pCxZt9U xZic6ykKX9rgUXx7+e7AbolQDbfux1Ymlq6aQB3Z1vkIkg1Ac+IzOR9bAqTOVfGWkvSj 6NrJoRcVErmrPOX80vrmgGWAKB0zzJ0ZwfC9LL3xJ7kuXqMZfL4mLaXBKluOcp+grZTj pYwA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=s7mkJooc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sg38-20020a170907a42600b0072b6d7a0119si5182319ejc.305.2022.08.15.17.48.42; Mon, 15 Aug 2022 17:49:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=s7mkJooc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353682AbiHOXh7 (ORCPT + 99 others); Mon, 15 Aug 2022 19:37:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50954 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346140AbiHOXds (ORCPT ); Mon, 15 Aug 2022 19:33:48 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C94003E75D; Mon, 15 Aug 2022 13:08:51 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 65CFD6069E; Mon, 15 Aug 2022 20:08:51 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 560E2C433C1; Mon, 15 Aug 2022 20:08:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660594130; bh=0le8guGcDs0hkYYHgSH5VlcQ39elFKC8ps3iIHcFQlg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=s7mkJoocQGVeXwqmK9liq/4QidBHK6m7XIZlVLHjWHFZOFdOggZldibzKQeas1m3C 5ThUtwfTHkLDDV00h3vJ9iGcm4SPRfpjlSGCSCDVExjdFM4ZMcDwEIj9hypfEcyk43 WcU28K3BKblZ7BjTJxBKRsJl/4OTrMsmfmYVZGF4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alexey Kodanev , Kalle Valo , Sasha Levin Subject: [PATCH 5.19 0383/1157] wifi: iwlegacy: 4965: fix potential off-by-one overflow in il4965_rs_fill_link_cmd() Date: Mon, 15 Aug 2022 19:55:39 +0200 Message-Id: <20220815180455.047494324@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220815180439.416659447@linuxfoundation.org> References: <20220815180439.416659447@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alexey Kodanev [ Upstream commit a8eb8e6f7159c7c20c0ddac428bde3d110890aa7 ] As a result of the execution of the inner while loop, the value of 'idx' can be equal to LINK_QUAL_MAX_RETRY_NUM. However, this is not checked after the loop and 'idx' is used to write the LINK_QUAL_MAX_RETRY_NUM size array 'lq_cmd->rs_table[idx]' below in the outer loop. The fix is to check the new value of 'idx' inside the nested loop, and break both loops if index equals the size. Checking it at the start is now pointless, so let's remove it. Detected using the static analysis tool - Svace. Fixes: be663ab67077 ("iwlwifi: split the drivers for agn and legacy devices 3945/4965") Signed-off-by: Alexey Kodanev Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220608171614.28891-1-aleksei.kodanev@bell-sw.com Signed-off-by: Sasha Levin --- drivers/net/wireless/intel/iwlegacy/4965-rs.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlegacy/4965-rs.c b/drivers/net/wireless/intel/iwlegacy/4965-rs.c index 9dd2d890e35f..c62f299b9e0a 100644 --- a/drivers/net/wireless/intel/iwlegacy/4965-rs.c +++ b/drivers/net/wireless/intel/iwlegacy/4965-rs.c @@ -2403,7 +2403,7 @@ il4965_rs_fill_link_cmd(struct il_priv *il, struct il_lq_sta *lq_sta, /* Repeat initial/next rate. * For legacy IL_NUMBER_TRY == 1, this loop will not execute. * For HT IL_HT_NUMBER_TRY == 3, this executes twice. */ - while (repeat_rate > 0 && idx < LINK_QUAL_MAX_RETRY_NUM) { + while (repeat_rate > 0) { if (is_legacy(tbl_type.lq_type)) { if (ant_toggle_cnt < NUM_TRY_BEFORE_ANT_TOGGLE) ant_toggle_cnt++; @@ -2422,6 +2422,8 @@ il4965_rs_fill_link_cmd(struct il_priv *il, struct il_lq_sta *lq_sta, cpu_to_le32(new_rate); repeat_rate--; idx++; + if (idx >= LINK_QUAL_MAX_RETRY_NUM) + goto out; } il4965_rs_get_tbl_info_from_mcs(new_rate, lq_sta->band, @@ -2466,6 +2468,7 @@ il4965_rs_fill_link_cmd(struct il_priv *il, struct il_lq_sta *lq_sta, repeat_rate--; } +out: lq_cmd->agg_params.agg_frame_cnt_limit = LINK_QUAL_AGG_FRAME_LIMIT_DEF; lq_cmd->agg_params.agg_dis_start_th = LINK_QUAL_AGG_DISABLE_START_DEF; -- 2.35.1