ath6kl: add some bounds checking [Linux 4.9.187]

This Linux kernel change "ath6kl: add some bounds checking" is included in the Linux 4.9.187 release. This change is authored by Dan Carpenter <dan.carpenter [at] oracle.com> on Thu Apr 4 11:56:51 2019 +0300. The commit for this change in Linux stable tree is 8e8b0ba (patch) which is from upstream commit 5d6751e. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 5d6751e.

ath6kl: add some bounds checking

[ Upstream commit 5d6751eaff672ea77642e74e92e6c0ac7f9709ab ]

The "ev->traffic_class" and "reply->ac" variables come from the network
and they're used as an offset into the wmi->stream_exist_for_ac[] array.
Those variables are u8 so they can be 0-255 but the stream_exist_for_ac[]
array only has WMM_NUM_AC (4) elements.  We need to add a couple bounds
checks to prevent array overflows.

I also modified one existing check from "if (traffic_class > 3) {" to
"if (traffic_class >= WMM_NUM_AC) {" just to make them all consistent.

Fixes: bdcd81707973 (" Add ath6kl cleaned up driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

There are 10 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 drivers/net/wireless/ath/ath6kl/wmi.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
index 3fd1cc9..55609fc 100644
--- a/drivers/net/wireless/ath/ath6kl/wmi.c
+++ b/drivers/net/wireless/ath/ath6kl/wmi.c
@@ -1178,6 +1178,10 @@ static int ath6kl_wmi_pstream_timeout_event_rx(struct wmi *wmi, u8 *datap,
        return -EINVAL;

    ev = (struct wmi_pstream_timeout_event *) datap;
+   if (ev->traffic_class >= WMM_NUM_AC) {
+       ath6kl_err("invalid traffic class: %d\n", ev->traffic_class);
+       return -EINVAL;
+   }

    /*
     * When the pstream (fat pipe == AC) timesout, it means there were
@@ -1519,6 +1523,10 @@ static int ath6kl_wmi_cac_event_rx(struct wmi *wmi, u8 *datap, int len,
        return -EINVAL;

    reply = (struct wmi_cac_event *) datap;
+   if (reply->ac >= WMM_NUM_AC) {
+       ath6kl_err("invalid AC: %d\n", reply->ac);
+       return -EINVAL;
+   }

    if ((reply->cac_indication == CAC_INDICATION_ADMISSION_RESP) &&
        (reply->status_code != IEEE80211_TSPEC_STATUS_ADMISS_ACCEPTED)) {
@@ -2635,7 +2643,7 @@ int ath6kl_wmi_delete_pstream_cmd(struct wmi *wmi, u8 if_idx, u8 traffic_class,
    u16 active_tsids = 0;
    int ret;

-   if (traffic_class > 3) {
+   if (traffic_class >= WMM_NUM_AC) {
        ath6kl_err("invalid traffic class: %d\n", traffic_class);
        return -EINVAL;
    }

Leave a Reply

Your email address will not be published. Required fields are marked *