iwlwifi: prevent read outside array bounds
With EDCA and HCCA we have 16 potential tid values. This is accommodated by mac80211, but iwlwifi only supports EDCA. With this implementation it is thus possible for mac80211 to request a tid that will cause iwlwifi to read outside array bounds. A similar problem exists if traffic is received in an unsupported category. We add error checking to catch these situations. Signed-off-by: Reinette Chatre <reinette.chatre@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
parent
a8b875e7dc
commit
e6a6cf4c42
@ -332,6 +332,9 @@ static u8 rs_tl_add_packet(struct iwl_lq_sta *lq_data,
|
||||
} else
|
||||
return MAX_TID_COUNT;
|
||||
|
||||
if (unlikely(tid >= TID_MAX_LOAD_COUNT))
|
||||
return MAX_TID_COUNT;
|
||||
|
||||
tl = &lq_data->load[tid];
|
||||
|
||||
curr_time -= curr_time % TID_ROUND_VALUE;
|
||||
|
@ -745,6 +745,8 @@ int iwl_tx_skb(struct iwl_priv *priv, struct sk_buff *skb)
|
||||
if (ieee80211_is_data_qos(fc)) {
|
||||
qc = ieee80211_get_qos_ctl(hdr);
|
||||
tid = qc[0] & IEEE80211_QOS_CTL_TID_MASK;
|
||||
if (unlikely(tid >= MAX_TID_COUNT))
|
||||
goto drop_unlock;
|
||||
seq_number = priv->stations[sta_id].tid[tid].seq_number;
|
||||
seq_number &= IEEE80211_SCTL_SEQ;
|
||||
hdr->seq_ctrl = hdr->seq_ctrl &
|
||||
@ -1238,6 +1240,9 @@ int iwl_tx_agg_stop(struct iwl_priv *priv , const u8 *ra, u16 tid)
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
if (unlikely(tid >= MAX_TID_COUNT))
|
||||
return -EINVAL;
|
||||
|
||||
if (likely(tid < ARRAY_SIZE(default_tid_to_tx_fifo)))
|
||||
tx_fifo_id = default_tid_to_tx_fifo[tid];
|
||||
else
|
||||
|
@ -544,6 +544,8 @@ static int iwl3945_tx_skb(struct iwl_priv *priv, struct sk_buff *skb)
|
||||
if (ieee80211_is_data_qos(fc)) {
|
||||
qc = ieee80211_get_qos_ctl(hdr);
|
||||
tid = qc[0] & IEEE80211_QOS_CTL_TID_MASK;
|
||||
if (unlikely(tid >= MAX_TID_COUNT))
|
||||
goto drop;
|
||||
seq_number = priv->stations[sta_id].tid[tid].seq_number &
|
||||
IEEE80211_SCTL_SEQ;
|
||||
hdr->seq_ctrl = cpu_to_le16(seq_number) |
|
||||
|
Loading…
x
Reference in New Issue
Block a user