Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e6a6cf4c authored by Reinette Chatre's avatar Reinette Chatre Committed by John W. Linville
Browse files

iwlwifi: prevent read outside array bounds 



With EDCA and HCCA we have 16 potential tid values. This is accommodated by
mac80211, but iwlwifi only supports EDCA. With this implementation it is
thus possible for mac80211 to request a tid that will cause iwlwifi to read
outside array bounds. A similar problem exists if traffic is received in an
unsupported category.

We add error checking to catch these situations.

Signed-off-by: default avatarReinette Chatre <reinette.chatre@intel.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent a8b875e7

drivers/net/wireless/iwlwifi/iwl-agn-rs.c

+3 −0
Original line number Diff line number Diff line
@@ -332,6 +332,9 @@ static u8 rs_tl_add_packet(struct iwl_lq_sta *lq_data, 
	} else

		return MAX_TID_COUNT;



	if (unlikely(tid >= TID_MAX_LOAD_COUNT))

		return MAX_TID_COUNT;



	tl = &lq_data->load[tid];



	curr_time -= curr_time % TID_ROUND_VALUE;

drivers/net/wireless/iwlwifi/iwl-tx.c

+5 −0
Original line number Diff line number Diff line
@@ -745,6 +745,8 @@ int iwl_tx_skb(struct iwl_priv *priv, struct sk_buff *skb) 
	if (ieee80211_is_data_qos(fc)) {

		qc = ieee80211_get_qos_ctl(hdr);

		tid = qc[0] & IEEE80211_QOS_CTL_TID_MASK;

		if (unlikely(tid >= MAX_TID_COUNT))

			goto drop_unlock;

		seq_number = priv->stations[sta_id].tid[tid].seq_number;

		seq_number &= IEEE80211_SCTL_SEQ;

		hdr->seq_ctrl = hdr->seq_ctrl &
@@ -1238,6 +1240,9 @@ int iwl_tx_agg_stop(struct iwl_priv *priv , const u8 *ra, u16 tid) 
		return -EINVAL;

	}



	if (unlikely(tid >= MAX_TID_COUNT))

		return -EINVAL;



	if (likely(tid < ARRAY_SIZE(default_tid_to_tx_fifo)))

		tx_fifo_id = default_tid_to_tx_fifo[tid];

	else

drivers/net/wireless/iwlwifi/iwl3945-base.c

+2 −0
Original line number Diff line number Diff line
@@ -544,6 +544,8 @@ static int iwl3945_tx_skb(struct iwl_priv *priv, struct sk_buff *skb) 
	if (ieee80211_is_data_qos(fc)) {

		qc = ieee80211_get_qos_ctl(hdr);

		tid = qc[0] & IEEE80211_QOS_CTL_TID_MASK;

		if (unlikely(tid >= MAX_TID_COUNT))

			goto drop;

		seq_number = priv->stations[sta_id].tid[tid].seq_number &

				IEEE80211_SCTL_SEQ;

		hdr->seq_ctrl = cpu_to_le16(seq_number) |