wifi: iwlwifi: mvm: Validate tid is in valid range before using it

Validate tid is less then MAX TID when it is used to access
corresponding arrays.

Signed-off-by: Anjaneyulu <pagadala.yesu.anjaneyulu@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230614123447.cea75e1f57e7.I03bc0a81d2c1bdbf4784c12c4c62b8538892ccba@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rx.c b/drivers/net/wireless/intel/iwlwifi/mvm/rx.c
index b38b242..542c192 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/mvm/rx.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/rx.c
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
 /*
- * Copyright (C) 2012-2014, 2018-2022 Intel Corporation
+ * Copyright (C) 2012-2014, 2018-2023 Intel Corporation
  * Copyright (C) 2013-2015 Intel Mobile Communications GmbH
  * Copyright (C) 2016-2017 Intel Deutschland GmbH
  */
@@ -213,8 +213,12 @@ static void iwl_mvm_rx_handle_tcm(struct iwl_mvm *mvm,
        };
        u16 thr;
 
-       if (ieee80211_is_data_qos(hdr->frame_control))
-               ac = tid_to_mac80211_ac[ieee80211_get_tid(hdr)];
+       if (ieee80211_is_data_qos(hdr->frame_control)) {
+               u8 tid = ieee80211_get_tid(hdr);
+
+               if (tid < IWL_MAX_TID_COUNT)
+                       ac = tid_to_mac80211_ac[tid];
+       }
 
        mvmsta = iwl_mvm_sta_from_mac80211(sta);
        mac = mvmsta->mac_id_n_color & FW_CTXT_ID_MSK;

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
index 5c06839..9dbe71d 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
@@ -484,7 +484,7 @@ static void iwl_mvm_rx_csum(struct iwl_mvm *mvm,
 }
 
 /*
- * returns true if a packet is a duplicate and should be dropped.
+ * returns true if a packet is a duplicate or invalid tid and should be dropped.
  * Updates AMSDU PN tracking info
  */
 static bool iwl_mvm_is_dup(struct ieee80211_sta *sta, int queue,
@@ -513,11 +513,14 @@ static bool iwl_mvm_is_dup(struct ieee80211_sta *sta, int queue,
                return false;
        }
 
-       if (ieee80211_is_data_qos(hdr->frame_control))
+       if (ieee80211_is_data_qos(hdr->frame_control)) {
                /* frame has qos control */
                tid = ieee80211_get_tid(hdr);
-       else
+               if (tid >= IWL_MAX_TID_COUNT)
+                       return true;
+       } else {
                tid = IWL_MAX_TID_COUNT;
+       }
 
        /* If this wasn't a part of an A-MSDU the sub-frame index will be 0 */
        sub_frame_idx = desc->amsdu_info &