From patchwork Fri Dec 29 08:31:03 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ping-Ke Shih X-Patchwork-Id: 10136683 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id B76FF60318 for ; Fri, 29 Dec 2017 08:33:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A4D892CBB5 for ; Fri, 29 Dec 2017 08:33:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 99B492CBC8; Fri, 29 Dec 2017 08:33:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E6FAC2CBC3 for ; Fri, 29 Dec 2017 08:33:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932376AbdL2Icw (ORCPT ); Fri, 29 Dec 2017 03:32:52 -0500 Received: from rtits2.realtek.com ([211.75.126.72]:52789 "EHLO rtits2.realtek.com.tw" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755328AbdL2Ibk (ORCPT ); Fri, 29 Dec 2017 03:31:40 -0500 Authenticated-By: X-SpamFilter-By: BOX Solutions SpamTrap 5.62 with qID vBT8VOLI024214, This message is accepted by code: ctloc85258 Received: from mail.realtek.com (rtitexh01.realtek.com.tw [172.21.6.62]) by rtits2.realtek.com.tw (8.15.2/2.57/5.78) with ESMTP id vBT8VOLI024214; Fri, 29 Dec 2017 16:31:25 +0800 Received: from RTITCASV01.realtek.com.tw (172.21.6.18) by RTITEXH01.realtek.com.tw (172.21.6.62) with Microsoft SMTP Server (TLS) id 14.3.361.1; Fri, 29 Dec 2017 16:31:24 +0800 Received: from localhost.localdomain (172.21.69.107) by RTITCASV01.realtek.com.tw (172.21.6.18) with Microsoft SMTP Server id 14.3.294.0; Fri, 29 Dec 2017 16:31:24 +0800 From: To: CC: , , , Subject: [PATCH 02/11] rtlwifi: check for array overflow Date: Fri, 29 Dec 2017 16:31:03 +0800 Message-ID: <20171229083112.31540-3-pkshih@realtek.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20171229083112.31540-1-pkshih@realtek.com> References: <20171229083112.31540-1-pkshih@realtek.com> MIME-Version: 1.0 X-Originating-IP: [172.21.69.107] Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Dan Carpenter This is merged by Ping-Ke Shih from commit dc33bd4309d2 ("staging: rtlwifi: check for array overflow"), and the original commit log is reserved below. Smatch is distrustful of the "capab" value and marks it as user controlled. I think it actually comes from the firmware? Anyway, I looked at other drivers and they added a bounds check and it seems like a harmless thing to have so I have added it here as well. Signed-off-by: Dan Carpenter Acked-by: Larry Finger Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ping-Ke Shih --- drivers/net/wireless/realtek/rtlwifi/base.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c index 704741d6f495..2052e0e5e083 100644 --- a/drivers/net/wireless/realtek/rtlwifi/base.c +++ b/drivers/net/wireless/realtek/rtlwifi/base.c @@ -1321,6 +1321,10 @@ bool rtl_action_proc(struct ieee80211_hw *hw, struct sk_buff *skb, u8 is_tx) le16_to_cpu(mgmt->u.action.u.addba_req.capab); tid = (capab & IEEE80211_ADDBA_PARAM_TID_MASK) >> 2; + if (tid >= MAX_TID_COUNT) { + rcu_read_unlock(); + return true; + } tid_data = &sta_entry->tids[tid]; if (tid_data->agg.rx_agg_state == RTL_RX_AGG_START)