From: Stanislaw Gruszka <stf_xl@wp.pl>
To: Fedor Pchelkin <pchelkin@ispras.ru>
Cc: Alexei Safin <a.safin@rosa.ru>,
lvc-project@linuxtesting.org, netdev@vger.kernel.org,
Kalle Valo <kvalo@kernel.org>,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
"David S . Miller" <davem@davemloft.net>
Subject: Re: [PATCH v2] iwlegacy: 4965: fix possible out-of-bounds access in il4965_tx_cmd_build_rate()
Date: Tue, 29 Apr 2025 23:40:18 +0200 [thread overview]
Message-ID: <20250429214018.GA55582@wp.pl> (raw)
In-Reply-To: <d57qkj2tj4bgfobgzbhcb4bceh327o35mgamy2yyfuvolg4ymo@7p7hbpyg5bxi>
Hi
On Tue, Apr 29, 2025 at 08:15:59PM +0300, Fedor Pchelkin wrote:
> Hello,
>
> On Sun, 27. Apr 08:39, Stanislaw Gruszka wrote:
> > > diff --git a/drivers/net/wireless/intel/iwlegacy/4965-mac.c b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
> > > index 78dee8ccfebf..f60d9b9798c1 100644
> > > --- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c
> > > +++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
> > > @@ -1572,7 +1572,7 @@ il4965_tx_cmd_build_rate(struct il_priv *il,
> > > */
> > > rate_idx = info->control.rates[0].idx;
> > > if ((info->control.rates[0].flags & IEEE80211_TX_RC_MCS) || rate_idx < 0
> > > - || rate_idx > RATE_COUNT_LEGACY)
> > > + || rate_idx >= RATE_COUNT_LEGACY)
> > > rate_idx = rate_lowest_index(&il->bands[info->band], sta);
> >
> > .. so looks the check is fine already and changing it will induce a bug
> > for RATE_54M_INDEX.
> >
> > Regards
> > Stanislaw
> >
> > > /* For 5 GHZ band, remap mac80211 rate indices into driver indices */
> > > if (info->band == NL80211_BAND_5GHZ)
>
> Here goes the fragment:
>
> rate_idx += IL_FIRST_OFDM_RATE;
> /* Get PLCP rate for tx_cmd->rate_n_flags */
> rate_plcp = il_rates[rate_idx].plcp;
>
> > > --
> > > 2.39.5 (Apple Git-154)
> > >
>
> Looks like the proper checks should be added to address the 5GHZ case and
> validate that the index won't exceed the array boundaries after being shifted
> by IL_FIRST_OFDM_RATE.
Good point. It make sense to move rate_idx range check after possible
IL_FIRST_OFDM_RATE addition for 5GHz.
Regards
Stanislaw
next prev parent reply other threads:[~2025-04-29 21:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-24 18:52 [PATCH v2] iwlegacy: 4965: fix possible out-of-bounds access in il4965_tx_cmd_build_rate() Alexei Safin
2025-04-25 5:59 ` Ping-Ke Shih
2025-04-27 6:39 ` Stanislaw Gruszka
2025-04-29 17:15 ` Fedor Pchelkin
2025-04-29 21:40 ` Stanislaw Gruszka [this message]
2025-05-17 7:40 ` [PATCH] wifi: iwlegacy: Check rate_idx range after addition Stanislaw Gruszka
2025-05-17 12:21 ` Fedor Pchelkin
2025-05-17 14:53 ` Stanislaw Gruszka
2025-05-25 14:45 ` [PATCH v2] " Stanislaw Gruszka
2025-05-27 19:17 ` Fedor Pchelkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250429214018.GA55582@wp.pl \
--to=stf_xl@wp.pl \
--cc=a.safin@rosa.ru \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pchelkin@ispras.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.