Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 321c51aa authored Aug 19, 2022 by Dan Carpenter Committed by Greg Kroah-Hartman Oct 26, 2022

wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse()



[ Upstream commit 620d5eaeb9059636864bda83ca1c68c20ede34a5 ]

There some bounds checking to ensure that "map_addr" is not out of
bounds before the start of the loop.  But the checking needs to be
done as we iterate through the loop because "map_addr" gets larger as
we iterate.

Fixes: 26f1fad2 ("New driver: rtl8xxxu (mac80211)")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Jes Sorensen <Jes.Sorensen@gmail.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/Yv8eGLdBslLAk3Ct@kili


Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 79936807

drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c

+7 −7

Original line number	Diff line number	Diff line
		@@ -1875,13 +1875,6 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv)

		/* We have 8 bits to indicate validity */
		map_addr = offset * 8;
		if (map_addr >= EFUSE_MAP_LEN) {
		dev_warn(dev, "%s: Illegal map_addr (%04x), "
		"efuse corrupt!\n",
		__func__, map_addr);
		ret = -EINVAL;
		goto exit;
		}
		for (i = 0; i < EFUSE_MAX_WORD_UNIT; i++) {
		/* Check word enable condition in the section */
		if (word_mask & BIT(i)) {
		@@ -1892,6 +1885,13 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv)
		ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8);
		if (ret)
		goto exit;
		if (map_addr >= EFUSE_MAP_LEN - 1) {
		dev_warn(dev, "%s: Illegal map_addr (%04x), "
		"efuse corrupt!\n",
		__func__, map_addr);
		ret = -EINVAL;
		goto exit;
		}
		priv->efuse_wifi.raw[map_addr++] = val8;

		ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8);