wifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps()

[ Upstream commit b302dce3d9edea5b93d1902a541684a967f3c63c ]

reg_cap.phy_id is extracted from WMI event and could be an unexpected value
in case some errors happen. As a result out-of-bound write may occur to
soc->hal_reg_cap. Fix it by validating reg_cap.phy_id before using it.

This is found during code review.

Compile tested only.

Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230830020716.5420-1-quic_bqiang@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
index ef0f3cf35cfd1d3861cb13d07a6b3401a543c3d4..bddf4571d50c1d5e287a8178b546dcaa6a602ca2 100644 (file)
--- a/drivers/net/wireless/ath/ath12k/wmi.c
+++ b/drivers/net/wireless/ath/ath12k/wmi.c
@@ -3876,6 +3876,12 @@ static int ath12k_wmi_ext_hal_reg_caps(struct ath12k_base *soc,
                        ath12k_warn(soc, "failed to extract reg cap %d\n", i);
                        return ret;
                }
                        ath12k_warn(soc, "failed to extract reg cap %d\n", i);
                        return ret;
                }

+
+               if (reg_cap.phy_id >= MAX_RADIOS) {
+                       ath12k_warn(soc, "unexpected phy id %u\n", reg_cap.phy_id);
+                       return -EINVAL;
+               }
+

                soc->hal_reg_cap[reg_cap.phy_id] = reg_cap;
        }
        return 0;
                soc->hal_reg_cap[reg_cap.phy_id] = reg_cap;
        }
        return 0;