From d54601b92fbde2a7021a844e1373ba8c778cc0a3 Mon Sep 17 00:00:00 2001 From: Raja Mani Date: Fri, 21 Sep 2012 15:08:54 +0530 Subject: [PATCH] ath6kl: Check for valid rate table index There are 28 items defined in rate table array 'wmi_rate_tbl'. The rate table index (reply->rate_index) in ath6kl_wmi_bitrate_reply_rx() func is not checked for the valid max limit index before accessing rate table array. There may be some incidents to get memory crashes without safe max check. Fix this. Found this on code review. Signed-off-by: Raja Mani Signed-off-by: Kalle Valo --- drivers/net/wireless/ath/ath6kl/wmi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c index 64b81fd..f3aeebb 100644 --- a/drivers/net/wireless/ath/ath6kl/wmi.c +++ b/drivers/net/wireless/ath/ath6kl/wmi.c @@ -1174,6 +1174,9 @@ static int ath6kl_wmi_bitrate_reply_rx(struct wmi *wmi, u8 *datap, int len) rate = RATE_AUTO; } else { index = reply->rate_index & 0x7f; + if (WARN_ON_ONCE(index > (RATE_MCS_7_40 + 1))) + return -EINVAL; + sgi = (reply->rate_index & 0x80) ? 1 : 0; rate = wmi_rate_tbl[index][sgi]; } -- 2.7.4