From: Dan Carpenter Date: Fri, 29 Dec 2017 08:31:03 +0000 (+0800) Subject: rtlwifi: check for array overflow X-Git-Tag: v4.19~1702^2~158^2~55 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=5e0c1f0503cf79a04896875f59f82b73f9d754d4;p=platform%2Fkernel%2Flinux-rpi.git rtlwifi: check for array overflow This is merged by Ping-Ke Shih from commit dc33bd4309d2 ("staging: rtlwifi: check for array overflow"), and the original commit log is reserved below. Smatch is distrustful of the "capab" value and marks it as user controlled. I think it actually comes from the firmware? Anyway, I looked at other drivers and they added a bounds check and it seems like a harmless thing to have so I have added it here as well. Signed-off-by: Dan Carpenter Acked-by: Larry Finger Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ping-Ke Shih Signed-off-by: Kalle Valo --- diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c index 704741d6f495..2052e0e5e083 100644 --- a/drivers/net/wireless/realtek/rtlwifi/base.c +++ b/drivers/net/wireless/realtek/rtlwifi/base.c @@ -1321,6 +1321,10 @@ bool rtl_action_proc(struct ieee80211_hw *hw, struct sk_buff *skb, u8 is_tx) le16_to_cpu(mgmt->u.action.u.addba_req.capab); tid = (capab & IEEE80211_ADDBA_PARAM_TID_MASK) >> 2; + if (tid >= MAX_TID_COUNT) { + rcu_read_unlock(); + return true; + } tid_data = &sta_entry->tids[tid]; if (tid_data->agg.rx_agg_state == RTL_RX_AGG_START)