Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp3329879rwa;
        Tue, 23 Aug 2022 03:00:00 -0700 (PDT)
X-Google-Smtp-Source: AA6agR6sYVsMDGZ3NSMdtQoMH/dMNP4/BRDVX9yKPiIpSatm/GzYqDRKgV3naCopHO2B3fLeqZUx
X-Received: by 2002:a17:907:2da2:b0:73d:9e9e:1c2e with SMTP id gt34-20020a1709072da200b0073d9e9e1c2emr1533200ejc.736.1661248799986;
        Tue, 23 Aug 2022 02:59:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1661248799; cv=none;
        d=google.com; s=arc-20160816;
        b=DnGngMDXkWi/eV6zbeJqCjW4etTnAbZ+NjPpBnPUEKoFIr/l2ftNXccJDKClG8oG0k
         LWsbUQBv1ZRTV+qsg8/KbxD16S264iQBFkIdEzCbEvAfLSXTMlJLr0XV4LNLtNzIrDjh
         VMG+km530iiPJQZEXgbSvy5bzgxwKlIW82QDT1TvDyIMjLxYuX+F8YD8ITjJH7KoG742
         bFNd22i7e6vKuFxZbV2/IqIQN7r+QN5Xz+sGm2ZVK97uqrve/Znpe5jSm3L5Glb7Nal8
         Ejq2/2fCLRrREkfd0uPMyFyDIulwoTB7B1TJU+clFZ3bRjHAwEJ5anTalLCAMSb8NDCA
         Swkw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=iZQDji3XIcewPuo+BKiE58FhOH8aG9eSYB4gQUXeCaE=;
        b=BFHMp+h5pLXQCZam0dF8EmdM+ZnELut2KXGvVyDqpfHjWiGr64MwcFNDy4tL13lNjn
         sVb6iNRWrnlG4hbdYjDRKGQnyWegb8eWWziLAUpRNgp8pL5p4e+kNTWWbuqCWjoFkXYI
         AE2uwqH7/NKHgZtSASTXn1jO/7wA9OvW7JBg4SASvvT2ibXvIXd08FRxesMt4+oWblbK
         dy+VqZtLOf60394ZDtn5Rd7CTf+7FUjXMs8wAriXpVkSHDOkwumnB1UUGZ6RRcqD/pLG
         5zQQ7sWIEGyA0+go6hHK5ECgNPnkzvBiZz0/6dVWStrlJebNTCBgqX4cEVEMo9/UPsj3
         Wn+A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=cmTWEp1r;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id hb7-20020a170907160700b00731010c202dsi10956217ejc.764.2022.08.23.02.59.34;
        Tue, 23 Aug 2022 02:59:59 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=cmTWEp1r;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1351713AbiHWJi7 (ORCPT <rfc822;andreqb@gmail.com> + 99 others);
        Tue, 23 Aug 2022 05:38:59 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53222 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1351645AbiHWJiR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 23 Aug 2022 05:38:17 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BC36A98591;
        Tue, 23 Aug 2022 01:40:48 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 04DE56153A;
        Tue, 23 Aug 2022 08:39:34 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0BF13C433C1;
        Tue, 23 Aug 2022 08:39:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1661243973;
        bh=S91jLsmDc1tZj5ujADBa85XorHb6hMV7HBp03U4iFcc=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=cmTWEp1rfc3tPPHERK1278DiVcwn2dl06BWt9ut5wFKfJ5XQGhlEX+Uj4z5p5lJwU
         K5kDetjUnxvKUWSUUyBPnB5MwiwjHsFYMNKBNAWOhrysJHdT/HkcIgxtCen6wneQFq
         Gl+R/tJYeiYrJt3vM4RVnEykXtNxrMLVRKoCA+Zc=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Alexey Kodanev <aleksei.kodanev@bell-sw.com>,
        Kalle Valo <kvalo@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 064/229] wifi: iwlegacy: 4965: fix potential off-by-one overflow in il4965_rs_fill_link_cmd()
Date:   Tue, 23 Aug 2022 10:23:45 +0200
Message-Id: <20220823080056.017384397@linuxfoundation.org>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20220823080053.202747790@linuxfoundation.org>
References: <20220823080053.202747790@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Alexey Kodanev <aleksei.kodanev@bell-sw.com>

[ Upstream commit a8eb8e6f7159c7c20c0ddac428bde3d110890aa7 ]

As a result of the execution of the inner while loop, the value
of 'idx' can be equal to LINK_QUAL_MAX_RETRY_NUM. However, this
is not checked after the loop and 'idx' is used to write the
LINK_QUAL_MAX_RETRY_NUM size array 'lq_cmd->rs_table[idx]' below
in the outer loop.

The fix is to check the new value of 'idx' inside the nested loop,
and break both loops if index equals the size. Checking it at the
start is now pointless, so let's remove it.

Detected using the static analysis tool - Svace.

Fixes: be663ab67077 ("iwlwifi: split the drivers for agn and legacy devices 3945/4965")
Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220608171614.28891-1-aleksei.kodanev@bell-sw.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/intel/iwlegacy/4965-rs.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/intel/iwlegacy/4965-rs.c b/drivers/net/wireless/intel/iwlegacy/4965-rs.c
index c055f6da11c6..623ee20b2c19 100644
--- a/drivers/net/wireless/intel/iwlegacy/4965-rs.c
+++ b/drivers/net/wireless/intel/iwlegacy/4965-rs.c
@@ -2424,7 +2424,7 @@ il4965_rs_fill_link_cmd(struct il_priv *il, struct il_lq_sta *lq_sta,
 		/* Repeat initial/next rate.
 		 * For legacy IL_NUMBER_TRY == 1, this loop will not execute.
 		 * For HT IL_HT_NUMBER_TRY == 3, this executes twice. */
-		while (repeat_rate > 0 && idx < LINK_QUAL_MAX_RETRY_NUM) {
+		while (repeat_rate > 0) {
 			if (is_legacy(tbl_type.lq_type)) {
 				if (ant_toggle_cnt < NUM_TRY_BEFORE_ANT_TOGGLE)
 					ant_toggle_cnt++;
@@ -2443,6 +2443,8 @@ il4965_rs_fill_link_cmd(struct il_priv *il, struct il_lq_sta *lq_sta,
 			    cpu_to_le32(new_rate);
 			repeat_rate--;
 			idx++;
+			if (idx >= LINK_QUAL_MAX_RETRY_NUM)
+				goto out;
 		}
 
 		il4965_rs_get_tbl_info_from_mcs(new_rate, lq_sta->band,
@@ -2487,6 +2489,7 @@ il4965_rs_fill_link_cmd(struct il_priv *il, struct il_lq_sta *lq_sta,
 		repeat_rate--;
 	}
 
+out:
 	lq_cmd->agg_params.agg_frame_cnt_limit = LINK_QUAL_AGG_FRAME_LIMIT_DEF;
 	lq_cmd->agg_params.agg_dis_start_th = LINK_QUAL_AGG_DISABLE_START_DEF;
 
-- 
2.35.1