| From 3fd03101a325c518f081669eeb774e1a95f10d1a Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Sat, 9 Apr 2022 09:12:25 +0300 |
| Subject: ath9k_htc: fix potential out of bounds access with invalid |
| rxstatus->rs_keyix |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| [ Upstream commit 2dc509305cf956381532792cb8dceef2b1504765 ] |
| |
| The "rxstatus->rs_keyix" eventually gets passed to test_bit() so we need to |
| ensure that it is within the bitmap. |
| |
| drivers/net/wireless/ath/ath9k/common.c:46 ath9k_cmn_rx_accept() |
| error: passing untrusted data 'rx_stats->rs_keyix' to 'test_bit()' |
| |
| Fixes: 4ed1a8d4a257 ("ath9k_htc: use ath9k_cmn_rx_accept") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Acked-by: Toke Høiland-Jørgensen <toke@toke.dk> |
| Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> |
| Link: https://lore.kernel.org/r/20220409061225.GA5447@kili |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 8 ++++++++ |
| 1 file changed, 8 insertions(+) |
| |
| diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c |
| index 6a9c9b4ef2c9..fe4491eff8ca 100644 |
| --- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c |
| +++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c |
| @@ -1004,6 +1004,14 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv, |
| goto rx_next; |
| } |
| |
| + if (rxstatus->rs_keyix >= ATH_KEYMAX && |
| + rxstatus->rs_keyix != ATH9K_RXKEYIX_INVALID) { |
| + ath_dbg(common, ANY, |
| + "Invalid keyix, dropping (keyix: %d)\n", |
| + rxstatus->rs_keyix); |
| + goto rx_next; |
| + } |
| + |
| /* Get the RX status information */ |
| |
| memset(rx_status, 0, sizeof(struct ieee80211_rx_status)); |
| -- |
| 2.35.1 |
| |