diff mbox series

wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse()

Message ID Yv8eGLdBslLAk3Ct@kili (mailing list archive)
State Accepted
Commit 620d5eaeb9059636864bda83ca1c68c20ede34a5
Delegated to: Kalle Valo
Headers show
Series wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse() | expand

Commit Message

Dan Carpenter Aug. 19, 2022, 5:22 a.m. UTC
There some bounds checking to ensure that "map_addr" is not out of
bounds before the start of the loop.  But the checking needs to be
done as we iterate through the loop because "map_addr" gets larger as
we iterate.

Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 .../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c  | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

Comments

Jes Sorensen Aug. 19, 2022, 1:43 p.m. UTC | #1
On 8/19/22 01:22, Dan Carpenter wrote:
> There some bounds checking to ensure that "map_addr" is not out of
> bounds before the start of the loop.  But the checking needs to be
> done as we iterate through the loop because "map_addr" gets larger as
> we iterate.
> 
> Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>  .../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c  | 14 +++++++-------
>  1 file changed, 7 insertions(+), 7 deletions(-)

Looks reasonable to me.

Acked-by: Jes Sorensen <Jes.Sorensen@gmail.com>



> diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
> index c66f0726b253..f3a107f19cf5 100644
> --- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
> +++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
> @@ -1878,13 +1878,6 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv)
>  
>  		/* We have 8 bits to indicate validity */
>  		map_addr = offset * 8;
> -		if (map_addr >= EFUSE_MAP_LEN) {
> -			dev_warn(dev, "%s: Illegal map_addr (%04x), "
> -				 "efuse corrupt!\n",
> -				 __func__, map_addr);
> -			ret = -EINVAL;
> -			goto exit;
> -		}
>  		for (i = 0; i < EFUSE_MAX_WORD_UNIT; i++) {
>  			/* Check word enable condition in the section */
>  			if (word_mask & BIT(i)) {
> @@ -1895,6 +1888,13 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv)
>  			ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8);
>  			if (ret)
>  				goto exit;
> +			if (map_addr >= EFUSE_MAP_LEN - 1) {
> +				dev_warn(dev, "%s: Illegal map_addr (%04x), "
> +					 "efuse corrupt!\n",
> +					 __func__, map_addr);
> +				ret = -EINVAL;
> +				goto exit;
> +			}
>  			priv->efuse_wifi.raw[map_addr++] = val8;
>  
>  			ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8);
Kalle Valo Sept. 2, 2022, 8:44 a.m. UTC | #2
Dan Carpenter <dan.carpenter@oracle.com> wrote:

> There some bounds checking to ensure that "map_addr" is not out of
> bounds before the start of the loop.  But the checking needs to be
> done as we iterate through the loop because "map_addr" gets larger as
> we iterate.
> 
> Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> Acked-by: Jes Sorensen <Jes.Sorensen@gmail.com>

Patch applied to wireless-next.git, thanks.

620d5eaeb905 wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse()
diff mbox series

Patch

diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
index c66f0726b253..f3a107f19cf5 100644
--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
@@ -1878,13 +1878,6 @@  static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv)
 
 		/* We have 8 bits to indicate validity */
 		map_addr = offset * 8;
-		if (map_addr >= EFUSE_MAP_LEN) {
-			dev_warn(dev, "%s: Illegal map_addr (%04x), "
-				 "efuse corrupt!\n",
-				 __func__, map_addr);
-			ret = -EINVAL;
-			goto exit;
-		}
 		for (i = 0; i < EFUSE_MAX_WORD_UNIT; i++) {
 			/* Check word enable condition in the section */
 			if (word_mask & BIT(i)) {
@@ -1895,6 +1888,13 @@  static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv)
 			ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8);
 			if (ret)
 				goto exit;
+			if (map_addr >= EFUSE_MAP_LEN - 1) {
+				dev_warn(dev, "%s: Illegal map_addr (%04x), "
+					 "efuse corrupt!\n",
+					 __func__, map_addr);
+				ret = -EINVAL;
+				goto exit;
+			}
 			priv->efuse_wifi.raw[map_addr++] = val8;
 
 			ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8);