From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Dan Carpenter <dan.carpenter@oracle.com>,
Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.2 011/249] ath6kl: add some bounds checking
Date: Mon, 15 Jul 2019 09:31:52 -0400 [thread overview]
Message-ID: <20190715133550.1772-11-sashal@kernel.org> (raw)
In-Reply-To: <20190715133550.1772-1-sashal@kernel.org>
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit 5d6751eaff672ea77642e74e92e6c0ac7f9709ab ]
The "ev->traffic_class" and "reply->ac" variables come from the network
and they're used as an offset into the wmi->stream_exist_for_ac[] array.
Those variables are u8 so they can be 0-255 but the stream_exist_for_ac[]
array only has WMM_NUM_AC (4) elements. We need to add a couple bounds
checks to prevent array overflows.
I also modified one existing check from "if (traffic_class > 3) {" to
"if (traffic_class >= WMM_NUM_AC) {" just to make them all consistent.
Fixes: bdcd81707973 (" Add ath6kl cleaned up driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath6kl/wmi.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
index 68854c45d0a4..9ab6aa9ded5c 100644
--- a/drivers/net/wireless/ath/ath6kl/wmi.c
+++ b/drivers/net/wireless/ath/ath6kl/wmi.c
@@ -1176,6 +1176,10 @@ static int ath6kl_wmi_pstream_timeout_event_rx(struct wmi *wmi, u8 *datap,
return -EINVAL;
ev = (struct wmi_pstream_timeout_event *) datap;
+ if (ev->traffic_class >= WMM_NUM_AC) {
+ ath6kl_err("invalid traffic class: %d\n", ev->traffic_class);
+ return -EINVAL;
+ }
/*
* When the pstream (fat pipe == AC) timesout, it means there were
@@ -1517,6 +1521,10 @@ static int ath6kl_wmi_cac_event_rx(struct wmi *wmi, u8 *datap, int len,
return -EINVAL;
reply = (struct wmi_cac_event *) datap;
+ if (reply->ac >= WMM_NUM_AC) {
+ ath6kl_err("invalid AC: %d\n", reply->ac);
+ return -EINVAL;
+ }
if ((reply->cac_indication == CAC_INDICATION_ADMISSION_RESP) &&
(reply->status_code != IEEE80211_TSPEC_STATUS_ADMISS_ACCEPTED)) {
@@ -2633,7 +2641,7 @@ int ath6kl_wmi_delete_pstream_cmd(struct wmi *wmi, u8 if_idx, u8 traffic_class,
u16 active_tsids = 0;
int ret;
- if (traffic_class > 3) {
+ if (traffic_class >= WMM_NUM_AC) {
ath6kl_err("invalid traffic class: %d\n", traffic_class);
return -EINVAL;
}
--
2.20.1
next prev parent reply other threads:[~2019-07-15 13:36 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-15 13:31 [PATCH AUTOSEL 5.2 001/249] ath10k: Check tx_stats before use it Sasha Levin
2019-07-15 13:31 ` Sasha Levin
2019-07-15 13:31 ` [PATCH AUTOSEL 5.2 002/249] ath10k: htt: don't use txdone_fifo with SDIO Sasha Levin
2019-07-15 13:31 ` Sasha Levin
2019-07-15 13:31 ` [PATCH AUTOSEL 5.2 003/249] ath10k: fix incorrect multicast/broadcast rate setting Sasha Levin
2019-07-15 13:31 ` Sasha Levin
2019-07-15 13:31 ` [PATCH AUTOSEL 5.2 004/249] ath9k: Don't trust TX status TID number when reporting airtime Sasha Levin
2019-07-15 13:31 ` [PATCH AUTOSEL 5.2 005/249] wil6210: fix potential out-of-bounds read Sasha Levin
2019-07-15 13:31 ` [PATCH AUTOSEL 5.2 006/249] ath10k: Do not send probe response template for mesh Sasha Levin
2019-07-15 13:31 ` Sasha Levin
[not found] ` <20190715133550.1772-1-sashal-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2019-07-15 13:31 ` [PATCH AUTOSEL 5.2 007/249] spi: rockchip: turn down tx dma bursts Sasha Levin
2019-07-15 13:31 ` Sasha Levin
2019-07-15 13:31 ` [PATCH AUTOSEL 5.2 008/249] ath9k: Check for errors when reading SREV register Sasha Levin
2019-07-15 13:31 ` [PATCH AUTOSEL 5.2 009/249] ath10k: Fix the wrong value of enums for wmi tlv stats id Sasha Levin
2019-07-15 13:31 ` Sasha Levin
2019-07-15 13:31 ` [PATCH AUTOSEL 5.2 010/249] wil6210: fix missed MISC mbox interrupt Sasha Levin
2019-07-15 13:31 ` Sasha Levin [this message]
2019-07-15 13:31 ` [PATCH AUTOSEL 5.2 012/249] ath10k: add peer id check in ath10k_peer_find_by_id Sasha Levin
2019-07-15 13:31 ` Sasha Levin
2019-07-15 13:31 ` [PATCH AUTOSEL 5.2 013/249] x86/tsc: Use CPUID.0x16 to calculate missing crystal frequency Sasha Levin
2019-07-15 13:31 ` [PATCH AUTOSEL 5.2 014/249] wil6210: fix spurious interrupts in 3-msi Sasha Levin
2019-07-15 13:31 ` [PATCH AUTOSEL 5.2 015/249] ath: DFS JP domain W56 fixed pulse type 3 RADAR detection Sasha Levin
2019-07-15 13:31 ` [PATCH AUTOSEL 5.2 016/249] ath10k: Fix encoding for protected management frames Sasha Levin
2019-07-15 13:31 ` Sasha Levin
2019-07-15 13:31 ` [PATCH AUTOSEL 5.2 017/249] regmap: debugfs: Fix memory leak in regmap_debugfs_init Sasha Levin
2019-07-15 13:31 ` [PATCH AUTOSEL 5.2 018/249] batman-adv: fix for leaked TVLV handler Sasha Levin
2019-07-15 13:32 ` [PATCH AUTOSEL 5.2 019/249] media: dvb: usb: fix use after free in dvb_usb_device_exit Sasha Levin
2019-07-15 13:32 ` [PATCH AUTOSEL 5.2 020/249] media: spi: IR LED: add missing of table registration Sasha Levin
2019-07-15 13:32 ` [PATCH AUTOSEL 5.2 021/249] crypto: talitos - fix skcipher failure due to wrong output IV Sasha Levin
2019-07-15 13:32 ` [PATCH AUTOSEL 5.2 022/249] media: ov7740: avoid invalid framesize setting Sasha Levin
2019-07-15 13:32 ` [PATCH AUTOSEL 5.2 023/249] media: marvell-ccic: fix DMA s/g desc number calculation Sasha Levin
2019-07-15 13:32 ` [PATCH AUTOSEL 5.2 024/249] selftests/bpf: adjust verifier scale test Sasha Levin
-- strict thread matches above, loose matches on Subject: below --
2019-07-15 13:42 [PATCH AUTOSEL 5.2 001/249] ath10k: Check tx_stats before use it Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 011/249] ath6kl: add some bounds checking Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190715133550.1772-11-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=dan.carpenter@oracle.com \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.