| Message ID | Yv8eGLdBslLAk3Ct@kili (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 620d5eaeb9059636864bda83ca1c68c20ede34a5 |
| Delegated to: | Kalle Valo |
| Headers | show |
| Series | wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse() | expand |
On 8/19/22 01:22, Dan Carpenter wrote: > There some bounds checking to ensure that "map_addr" is not out of > bounds before the start of the loop. But the checking needs to be > done as we iterate through the loop because "map_addr" gets larger as > we iterate. > > Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > .../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 14 +++++++------- > 1 file changed, 7 insertions(+), 7 deletions(-) Looks reasonable to me. Acked-by: Jes Sorensen <Jes.Sorensen@gmail.com> > diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c > index c66f0726b253..f3a107f19cf5 100644 > --- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c > +++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c > @@ -1878,13 +1878,6 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv) > > /* We have 8 bits to indicate validity */ > map_addr = offset * 8; > - if (map_addr >= EFUSE_MAP_LEN) { > - dev_warn(dev, "%s: Illegal map_addr (%04x), " > - "efuse corrupt!\n", > - __func__, map_addr); > - ret = -EINVAL; > - goto exit; > - } > for (i = 0; i < EFUSE_MAX_WORD_UNIT; i++) { > /* Check word enable condition in the section */ > if (word_mask & BIT(i)) { > @@ -1895,6 +1888,13 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv) > ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8); > if (ret) > goto exit; > + if (map_addr >= EFUSE_MAP_LEN - 1) { > + dev_warn(dev, "%s: Illegal map_addr (%04x), " > + "efuse corrupt!\n", > + __func__, map_addr); > + ret = -EINVAL; > + goto exit; > + } > priv->efuse_wifi.raw[map_addr++] = val8; > > ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8);
Dan Carpenter <dan.carpenter@oracle.com> wrote: > There some bounds checking to ensure that "map_addr" is not out of > bounds before the start of the loop. But the checking needs to be > done as we iterate through the loop because "map_addr" gets larger as > we iterate. > > Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > Acked-by: Jes Sorensen <Jes.Sorensen@gmail.com> Patch applied to wireless-next.git, thanks. 620d5eaeb905 wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse()
diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c index c66f0726b253..f3a107f19cf5 100644 --- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c @@ -1878,13 +1878,6 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv) /* We have 8 bits to indicate validity */ map_addr = offset * 8; - if (map_addr >= EFUSE_MAP_LEN) { - dev_warn(dev, "%s: Illegal map_addr (%04x), " - "efuse corrupt!\n", - __func__, map_addr); - ret = -EINVAL; - goto exit; - } for (i = 0; i < EFUSE_MAX_WORD_UNIT; i++) { /* Check word enable condition in the section */ if (word_mask & BIT(i)) { @@ -1895,6 +1888,13 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv) ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8); if (ret) goto exit; + if (map_addr >= EFUSE_MAP_LEN - 1) { + dev_warn(dev, "%s: Illegal map_addr (%04x), " + "efuse corrupt!\n", + __func__, map_addr); + ret = -EINVAL; + goto exit; + } priv->efuse_wifi.raw[map_addr++] = val8; ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8);
There some bounds checking to ensure that "map_addr" is not out of bounds before the start of the loop. But the checking needs to be done as we iterate through the loop because "map_addr" gets larger as we iterate. Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- .../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)