From: Stanislaw Gruszka <stf_xl@wp.pl>
To: Fedor Pchelkin <pchelkin@ispras.ru>,
Johannes Berg <johannes@sipsolutions.net>
Cc: Alexei Safin <a.safin@rosa.ru>,
lvc-project@linuxtesting.org, netdev@vger.kernel.org,
Kalle Valo <kvalo@kernel.org>,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
"David S . Miller" <davem@davemloft.net>
Subject: [PATCH] wifi: iwlegacy: Check rate_idx range after addition
Date: Sat, 17 May 2025 09:40:40 +0200 [thread overview]
Message-ID: <20250517074040.GA96365@wp.pl> (raw)
In-Reply-To: <d57qkj2tj4bgfobgzbhcb4bceh327o35mgamy2yyfuvolg4ymo@7p7hbpyg5bxi>
Move rate_idx range check after we add IL_FIRST_OFDM_RATE for it
for 5GHz band.
Additionally use ">= RATE_COUNT" check instead of "> RATE_COUNT_LEGACY"
to avoid possible reviewers and static code analyzers confusion about
size of il_rate array.
Reported-by: Fedor Pchelkin <pchelkin@ispras.ru>
Reported-by: Alexei Safin <a.safin@rosa.ru>
Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
---
drivers/net/wireless/intel/iwlegacy/4965-mac.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlegacy/4965-mac.c b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
index dc8c408902e6..2294ea43b4c7 100644
--- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c
+++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
@@ -1567,16 +1567,19 @@ il4965_tx_cmd_build_rate(struct il_priv *il,
/**
* If the current TX rate stored in mac80211 has the MCS bit set, it's
* not really a TX rate. Thus, we use the lowest supported rate for
- * this band. Also use the lowest supported rate if the stored rate
- * idx is invalid.
+ * this band.
*/
rate_idx = info->control.rates[0].idx;
- if ((info->control.rates[0].flags & IEEE80211_TX_RC_MCS) || rate_idx < 0
- || rate_idx > RATE_COUNT_LEGACY)
+ if (info->control.rates[0].flags & IEEE80211_TX_RC_MCS)
rate_idx = rate_lowest_index(&il->bands[info->band], sta);
- /* For 5 GHZ band, remap mac80211 rate indices into driver indices */
- if (info->band == NL80211_BAND_5GHZ)
+ else if (info->band == NL80211_BAND_5GHZ)
+ /* For 5 GHZ band, remap mac80211 rate indices into driver indices */
rate_idx += IL_FIRST_OFDM_RATE;
+
+ /* Use the lowest supported rate if the stored rate idx is invalid. */
+ if (rate_idx < 0 || rate_idx >= RATE_COUNT)
+ rate_idx = rate_lowest_index(&il->bands[info->band], sta);
+
/* Get PLCP rate for tx_cmd->rate_n_flags */
rate_plcp = il_rates[rate_idx].plcp;
/* Zero out flags for this packet */
--
2.25.4
next prev parent reply other threads:[~2025-05-17 8:07 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-24 18:52 [PATCH v2] iwlegacy: 4965: fix possible out-of-bounds access in il4965_tx_cmd_build_rate() Alexei Safin
2025-04-25 5:59 ` Ping-Ke Shih
2025-04-27 6:39 ` Stanislaw Gruszka
2025-04-29 17:15 ` Fedor Pchelkin
2025-04-29 21:40 ` Stanislaw Gruszka
2025-05-17 7:40 ` Stanislaw Gruszka [this message]
2025-05-17 12:21 ` [PATCH] wifi: iwlegacy: Check rate_idx range after addition Fedor Pchelkin
2025-05-17 14:53 ` Stanislaw Gruszka
2025-05-25 14:45 ` [PATCH v2] " Stanislaw Gruszka
2025-05-27 19:17 ` Fedor Pchelkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250517074040.GA96365@wp.pl \
--to=stf_xl@wp.pl \
--cc=a.safin@rosa.ru \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=johannes@sipsolutions.net \
--cc=kuba@kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pchelkin@ispras.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.