| Message ID | 20240703210510.11089-1-amishin@t-argos.ru (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Ping-Ke Shih |
| Headers | show |
| Series | [net] wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter() | expand |
Aleksandr Mishin <amishin@t-argos.ru> writes: > In rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size. > But then 'rate->he_gi' is used as array index instead of 'status->he_gi'. > This can lead to go beyond array boundaries in case of 'rate->he_gi' is > not equal to 'status->he_gi' and is bigger than array size. Looks like > "copy-paste" mistake. > > Fix this mistake by replacing 'rate->he_gi' with 'status->he_gi'. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: e3ec7017f6a2 ("rtw89: add Realtek 802.11ax driver") > Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru> A reminder for maintainers: rtw89 patches go to Ping's rtw tree, not net tree.
Aleksandr Mishin <amishin@t-argos.ru> wrote: > In rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size. > But then 'rate->he_gi' is used as array index instead of 'status->he_gi'. > This can lead to go beyond array boundaries in case of 'rate->he_gi' is > not equal to 'status->he_gi' and is bigger than array size. Looks like > "copy-paste" mistake. > > Fix this mistake by replacing 'rate->he_gi' with 'status->he_gi'. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: e3ec7017f6a2 ("rtw89: add Realtek 802.11ax driver") > Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru> 1 patch(es) applied to rtw-next branch of rtw.git, thanks. 85099c7ce4f9 wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter() --- https://github.com/pkshih/rtw.git
diff --git a/drivers/net/wireless/realtek/rtw89/debug.c b/drivers/net/wireless/realtek/rtw89/debug.c index affffc4092ba..5b4077c9fd28 100644 --- a/drivers/net/wireless/realtek/rtw89/debug.c +++ b/drivers/net/wireless/realtek/rtw89/debug.c @@ -3531,7 +3531,7 @@ static void rtw89_sta_info_get_iter(void *data, struct ieee80211_sta *sta) case RX_ENC_HE: seq_printf(m, "HE %dSS MCS-%d GI:%s", status->nss, status->rate_idx, status->he_gi <= NL80211_RATE_INFO_HE_GI_3_2 ? - he_gi_str[rate->he_gi] : "N/A"); + he_gi_str[status->he_gi] : "N/A"); break; case RX_ENC_EHT: seq_printf(m, "EHT %dSS MCS-%d GI:%s", status->nss, status->rate_idx,
In rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size. But then 'rate->he_gi' is used as array index instead of 'status->he_gi'. This can lead to go beyond array boundaries in case of 'rate->he_gi' is not equal to 'status->he_gi' and is bigger than array size. Looks like "copy-paste" mistake. Fix this mistake by replacing 'rate->he_gi' with 'status->he_gi'. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e3ec7017f6a2 ("rtw89: add Realtek 802.11ax driver") Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru> --- drivers/net/wireless/realtek/rtw89/debug.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)