mt76: mt7915: fix unbounded shift in mt7915_mcu_beacon_mbss

Fix the following smatch static checker warning:
	drivers/net/wireless/mediatek/mt76/mt7915/mcu.c:1872 mt7915_mcu_beacon_mbss()
	error: undefined (user controlled) shift '(((1))) << (data[2])'

Rely on mac80211 definitions for ieee80211_bssid_index subelement.

Fixes: 6b7f9aff7c67 ("mt76: mt7915: introduce 802.11ax multi-bss support")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>

diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
index df31084..6bd8e75 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
@@ -1854,7 +1854,8 @@ mt7915_mcu_beacon_mbss(struct sk_buff *rskb, struct sk_buff *skb,
                        continue;
 
                for_each_element(sub_elem, elem->data + 1, elem->datalen - 1) {
-                       const u8 *data;
+                       const struct ieee80211_bssid_index *idx;
+                       const u8 *idx_ie;
 
                        if (sub_elem->id || sub_elem->datalen < 4)
                                continue; /* not a valid BSS profile */
@@ -1862,14 +1863,19 @@ mt7915_mcu_beacon_mbss(struct sk_buff *rskb, struct sk_buff *skb,
                        /* Find WLAN_EID_MULTI_BSSID_IDX
                         * in the merged nontransmitted profile
                         */
-                       data = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX,
-                                               sub_elem->data,
-                                               sub_elem->datalen);
-                       if (!data || data[1] < 1 || !data[2])
+                       idx_ie = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX,
+                                                 sub_elem->data,
+                                                 sub_elem->datalen);
+                       if (!idx_ie || idx_ie[1] < sizeof(*idx))
                                continue;
 
-                       mbss->offset[data[2]] = cpu_to_le16(data - skb->data);
-                       mbss->bitmap |= cpu_to_le32(BIT(data[2]));
+                       idx = (void *)(idx_ie + 2);
+                       if (!idx->bssid_index || idx->bssid_index > 31)
+                               continue;
+
+                       mbss->offset[idx->bssid_index] =
+                               cpu_to_le16(idx_ie - skb->data);
+                       mbss->bitmap |= cpu_to_le32(BIT(idx->bssid_index));
                }
        }
 }