From: Baochen Qiang Date: Wed, 20 Sep 2023 13:43:42 +0000 (+0300) Subject: wifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps() X-Git-Tag: v6.6.17~3016 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=4dd0547e8b45faf6f95373be5436b66cde326c0e;p=platform%2Fkernel%2Flinux-rpi.git wifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps() [ Upstream commit b302dce3d9edea5b93d1902a541684a967f3c63c ] reg_cap.phy_id is extracted from WMI event and could be an unexpected value in case some errors happen. As a result out-of-bound write may occur to soc->hal_reg_cap. Fix it by validating reg_cap.phy_id before using it. This is found during code review. Compile tested only. Signed-off-by: Baochen Qiang Acked-by: Jeff Johnson Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20230830020716.5420-1-quic_bqiang@quicinc.com Signed-off-by: Sasha Levin --- diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c index ef0f3cf..bddf457 100644 --- a/drivers/net/wireless/ath/ath12k/wmi.c +++ b/drivers/net/wireless/ath/ath12k/wmi.c @@ -3876,6 +3876,12 @@ static int ath12k_wmi_ext_hal_reg_caps(struct ath12k_base *soc, ath12k_warn(soc, "failed to extract reg cap %d\n", i); return ret; } + + if (reg_cap.phy_id >= MAX_RADIOS) { + ath12k_warn(soc, "unexpected phy id %u\n", reg_cap.phy_id); + return -EINVAL; + } + soc->hal_reg_cap[reg_cap.phy_id] = reg_cap; } return 0;