Received: by 2002:ab2:710b:0:b0:1ef:a325:1205 with SMTP id z11csp1612891lql; Wed, 13 Mar 2024 03:18:46 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXfaXSB076quF8oSrYdbJnZu6LW/3CywjGVYfyhihArFkmIip4LFrIkBO+t8rV9KhAE6FpaUZmu8NswBQk+woKwLXTLK8yrMe3vQlvA3A== X-Google-Smtp-Source: AGHT+IGVNbgbzevcVY5KTDGEymhLzqAGe5qXjeF7ic/c+9eCPm01894MJZGBGQsjypq0JVdr/xnk X-Received: by 2002:a0d:d508:0:b0:60a:13e2:4cc9 with SMTP id x8-20020a0dd508000000b0060a13e24cc9mr1895302ywd.3.1710325126680; Wed, 13 Mar 2024 03:18:46 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1710325126; cv=pass; d=google.com; s=arc-20160816; b=EVVi/M+DtvUDu1l3IeseFD4e9CdFAW5keJ9kDnSs6u/yn5G7TOd669bBqq+4AnKEkE 6fIjHYuv/rl7pScwYsSYjBb610SuIER+t4w/65ZYAzwMmHE9J0iI3I/4w0V44NZ8VFOm MVvQ3ZEuREANB2MVmwWaYuHCpYxF0mHBVe/qFPPbAWP1rCGO7jW69K2d3HJvWwqwg8/6 UidBJSzlMxl9KmGpIYV7fSAFNbsavFvX1COjf8WUYAmwoPtvcX+pmYH0/9DGO30YWzpB l8tQngFICTvqUbjC4495qoxoz4KEXNcwmxWEX1+po5GSgneRyunr1oi1UklfqFuug96U 5fAA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature; bh=/WbgbM7u13n9JAWDUNVwGH8wowagV0mD8Odr6/826/Y=; fh=3ayelMg+dNjtMjkb/Y1kFEZHH4AJYFdT6c/iA1Nye0o=; b=HCOTpuLPmBDpuIrbD/FtVpbJ6zvzVNsAVHAhQSvCTfCQVvJt8Jj/IPjC4Zate3lIss esDImcU2I8LJXKwnY2S+pp614WZK4G2hBp7xfpSzx+WTa7+aKLSptqE8H1aQDivNBegW O6PICyqFfLQGW2AbLzYb9tfL058xmWqd8AajWZuhH6RC6hsX2ft8lTxbW18Cl2RUlAxx 1uTYRTi9/C26ZRDrRmIGyUQ6+PXEh/rPduHESNg+XYeqOf67WKMNLPSWH64rUumRoRZ6 iqu0RDPMc9zqWFyOM1Su0Ai6Za027h+HRftj+Ni2gN4YsJg9GJuyhkqSN9Sd+DDVN0HQ dBCA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=OrXZnY3U; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-wireless+bounces-4673-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-wireless+bounces-4673-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id t2-20020ac85882000000b0042ef466cd0fsi9460977qta.611.2024.03.13.03.18.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Mar 2024 03:18:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless+bounces-4673-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=OrXZnY3U; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-wireless+bounces-4673-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-wireless+bounces-4673-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 645D51C2102F for ; Wed, 13 Mar 2024 10:18:46 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 435D838DFC; Wed, 13 Mar 2024 10:18:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="OrXZnY3U" X-Original-To: linux-wireless@vger.kernel.org Received: from mail-lj1-f182.google.com (mail-lj1-f182.google.com [209.85.208.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 82CD41CF87; Wed, 13 Mar 2024 10:18:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710325122; cv=none; b=hsubfgj2BA4z3+kLq9J/X+qvbeT10wPn23bj7W0AZs3rx+Hjyryc/TgT7of/8upk4kYiO81U+7BQA8aVnRBCZTXFICc+bBqBpKIGhFT5/a0qrBAL91scu/UYlcf8jmud6yqKYbBhfoa+P14d5z/xPcWzLGWxPhawyzMvUSKxGaY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710325122; c=relaxed/simple; bh=7CM+nFMkUJ8A0Bs7FMJA+7hDVVwj6VqsCEoQzqU7Jx8=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=U3M/xyei5SytZqgUret2/3exEd4CFI7X6Kr6w9Ag4sCxRu847gtHcG0tJeCHYEVKff+TUjfrkwRkYKf8Z5jI/YQU8AvrzsXIkCjN+iZO/MuVcxqrIlb1579WctgfsYXsDMgI93OcV5zp1uckrShzDy8ZHtG+/S2TA9Im3LypQLw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=OrXZnY3U; arc=none smtp.client-ip=209.85.208.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-lj1-f182.google.com with SMTP id 38308e7fff4ca-2d29111272eso110017741fa.0; Wed, 13 Mar 2024 03:18:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710325119; x=1710929919; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=/WbgbM7u13n9JAWDUNVwGH8wowagV0mD8Odr6/826/Y=; b=OrXZnY3UJkOJIzNQQSZ9emPPwy2Kn+A8Rk8dQuTf2Lek2olpKeXmNXJlROo5wR3BLB 9a/smQ860wanw4EZWuYM2TiAK+ZoSxsrRia9ZMiejwZvUCs5V//1Wxc7Df56meePMp7j T4bJrg//GLENP55JOLsZPFP2VqP9K0XUulaqSwU9d3OQizFO2ruLizLHGb8R81BxXeX4 VdEq+Bg2qje1THfggC4+se2P1F6S56peXNwuLN1OWlwEhlV++PuZRL5wXVngqU2z/fe2 N/p8sCUQktWjkvo6Z3qTlC+bXe3fEklA4UC0mZfjiopVtHb5yoN/+Apqy6VXU8MA+WVm IKtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710325119; x=1710929919; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/WbgbM7u13n9JAWDUNVwGH8wowagV0mD8Odr6/826/Y=; b=kQ3fa2dJ8w/5GUz6c79TndiaKye4cPSQFQuyTHKuYGs2+eifgOLvDXGQWY+Jtp5qv2 RHmDj43Q1EL1mDUdSnXvipYgWp8Y7iHSuOg8KaGT14rhikCVoALCzpxk9BDIiqlLk8Bf imvTfU4nFerEdGdjJ86ZETvZEcuAmWeDrh1QaGRKm/Laq052hMJXeUTzC/V593SxlMI4 9rilCzexxQ22iuju7OUMvlSxbJGWsUkTEOooY0KvP8OQONdtYJEGDYoOHvUfZLhay4l5 lNJxB1YDhOMYiCoXMknpaedH0tYaBWDcXEhpe0sNfxDQufGfCv+cTPkpjQFb04kO5KsG +NSg== X-Forwarded-Encrypted: i=1; AJvYcCWgkHJbnqt9qg1Jv3eL68HmyKmIAyNwA4WbvP22UeqZbA2sJJ0sCRuHBAdEqJSKSnaV+5NsHDX3akUmQ9IAM+DEJHs1KfnFs9opryZxfPzilv7BxC0AUQbi1U6g5rZU+xVo9GKgz2g9vkjmFQQ= X-Gm-Message-State: AOJu0YydwPTAI4Ls6zO+mJKK0TPyW+yFvQj+UN2UbMZBFWw6Ue6HxtDv 3c5Tf6ZvDWvPi3ld+NE6uJlX8oituO5RH+ixXusIhcFReHhH3vxm X-Received: by 2002:a19:3846:0:b0:513:4105:6b34 with SMTP id d6-20020a193846000000b0051341056b34mr2917615lfj.64.1710325118452; Wed, 13 Mar 2024 03:18:38 -0700 (PDT) Received: from rand-ubuntu-development.dl.local (mail.confident.ru. [85.114.29.218]) by smtp.gmail.com with ESMTPSA id h41-20020a0565123ca900b00513c271b67asm549795lfv.239.2024.03.13.03.18.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Mar 2024 03:18:38 -0700 (PDT) From: Rand Deeb To: Miri Korenblit , Kalle Valo , Johannes Berg , Gregory Greenman , Anjaneyulu , Dmitry Antipov , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Cc: deeb.rand@confident.ru, lvc-project@linuxtesting.org, voskresenski.stanislav@confident.ru, khoroshilov@ispras.ru, Rand Deeb Subject: [PATCH] wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() Date: Wed, 13 Mar 2024 13:17:55 +0300 Message-Id: <20240313101755.269209-1-rand.sec96@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit The 'index' variable in the rs_fill_link_cmd() function can reach LINK_QUAL_MAX_RETRY_NUM during the execution of the inner loop. This variable is used as an index for the lq_cmd->rs_table array, which has a size of LINK_QUAL_MAX_RETRY_NUM, without proper validation. Modify the condition of the inner loop to ensure that the 'index' variable does not exceed LINK_QUAL_MAX_RETRY_NUM - 1, thereby preventing any potential overflow issues. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Rand Deeb --- drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c index f4a6f76cf193..e70024525eb9 100644 --- a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c +++ b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c @@ -2904,7 +2904,7 @@ static void rs_fill_link_cmd(struct iwl_priv *priv, /* Repeat initial/next rate. * For legacy IWL_NUMBER_TRY == 1, this loop will not execute. * For HT IWL_HT_NUMBER_TRY == 3, this executes twice. */ - while (repeat_rate > 0 && (index < LINK_QUAL_MAX_RETRY_NUM)) { + while (repeat_rate > 0 && index < (LINK_QUAL_MAX_RETRY_NUM - 1)) { if (is_legacy(tbl_type.lq_type)) { if (ant_toggle_cnt < NUM_TRY_BEFORE_ANT_TOGGLE) ant_toggle_cnt++; -- 2.34.1