diff options
Diffstat (limited to 'package/kernel/ath10k-ct/patches/162-ath10k-fix-possible-out-of-bound-access-of-ath10k_ra.patch')
| -rw-r--r-- | package/kernel/ath10k-ct/patches/162-ath10k-fix-possible-out-of-bound-access-of-ath10k_ra.patch | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/package/kernel/ath10k-ct/patches/162-ath10k-fix-possible-out-of-bound-access-of-ath10k_ra.patch b/package/kernel/ath10k-ct/patches/162-ath10k-fix-possible-out-of-bound-access-of-ath10k_ra.patch new file mode 100644 index 0000000000..5edd517883 --- /dev/null +++ b/package/kernel/ath10k-ct/patches/162-ath10k-fix-possible-out-of-bound-access-of-ath10k_ra.patch @@ -0,0 +1,66 @@ +From: Sriram R <srirrama@codeaurora.org> +Date: Wed, 3 Oct 2018 08:43:50 +0530 +Subject: [PATCH] ath10k: fix possible out of bound access of ath10k_rates array + +While using 'ath10k_mac_get_rate_hw_value()' to obtain the hw value +from the passed bitrate, there is a chance of out of bound array access +when wrong bitrate is passed. This is fixed by comparing the bitrates +within the correct size of the ath10k_rates array. + +Fixes commit f279294e9ee2 ("ath10k: add support for configuring management +packet rate"). Also correction made to some indents used in the above commit. + +Signed-off-by: Sriram R <srirrama@codeaurora.org> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> + +Origin: backport, https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=34e141eea7dd8525dd1ef7a925459e455b4d307f +--- +--- a/ath10k-4.19/mac.c ++++ b/ath10k-4.19/mac.c +@@ -165,7 +165,7 @@ static int ath10k_mac_get_rate_hw_value( + if (ath10k_mac_bitrate_is_cck(bitrate)) + hw_value_prefix = WMI_RATE_PREAMBLE_CCK << 6; + +- for (i = 0; i < sizeof(ath10k_rates); i++) { ++ for (i = 0; i < ARRAY_SIZE(ath10k_rates); i++) { + if (ath10k_rates[i].bitrate == bitrate) + return hw_value_prefix | ath10k_rates[i].hw_value; + } +@@ -6479,22 +6479,22 @@ static void ath10k_bss_info_changed(stru + return; + } + +- sband = ar->hw->wiphy->bands[def.chan->band]; +- basic_rate_idx = ffs(vif->bss_conf.basic_rates) - 1; +- bitrate = sband->bitrates[basic_rate_idx].bitrate; +- +- hw_rate_code = ath10k_mac_get_rate_hw_value(bitrate); +- if (hw_rate_code < 0) { +- ath10k_warn(ar, "bitrate not supported %d\n", bitrate); +- mutex_unlock(&ar->conf_mutex); +- return; +- } ++ sband = ar->hw->wiphy->bands[def.chan->band]; ++ basic_rate_idx = ffs(vif->bss_conf.basic_rates) - 1; ++ bitrate = sband->bitrates[basic_rate_idx].bitrate; ++ ++ hw_rate_code = ath10k_mac_get_rate_hw_value(bitrate); ++ if (hw_rate_code < 0) { ++ ath10k_warn(ar, "bitrate not supported %d\n", bitrate); ++ mutex_unlock(&ar->conf_mutex); ++ return; ++ } + +- vdev_param = ar->wmi.vdev_param->mgmt_rate; +- ret = ath10k_wmi_vdev_set_param(ar, arvif->vdev_id, vdev_param, +- hw_rate_code); +- if (ret) +- ath10k_warn(ar, "failed to set mgmt tx rate %d\n", ret); ++ vdev_param = ar->wmi.vdev_param->mgmt_rate; ++ ret = ath10k_wmi_vdev_set_param(ar, arvif->vdev_id, vdev_param, ++ hw_rate_code); ++ if (ret) ++ ath10k_warn(ar, "failed to set mgmt tx rate %d\n", ret); + } + + mutex_unlock(&ar->conf_mutex); |