Message ID | 20210831081802.GA9846@kili (mailing list archive) |
---|---|
State | Accepted |
Commit | 27a221f433b7ac6604845b09696e60e803972d3c |
Delegated to: | Kalle Valo |
Headers | show |
Series | [1/2] iwlwifi: mvm: d3: Fix off by ones in iwl_mvm_wowlan_get_rsc_v5_data() | expand |
Dan Carpenter <dan.carpenter@oracle.com> writes: > These should be >= ARRAY_SIZE() instead of > ARRAY_SIZE() to prevent an > out of bounds write on the next line. > > Fixes: 79e561f0f05a ("iwlwifi: mvm: d3: implement RSC command version 5") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> I think I should take both patches to v5.15. Luca, do you agree? Ack? I assigned these to me on patchwork.
On Tue, 2021-08-31 at 11:18 +0300, Dan Carpenter wrote: > These should be >= ARRAY_SIZE() instead of > ARRAY_SIZE() to prevent an > out of bounds write on the next line. > > Fixes: 79e561f0f05a ("iwlwifi: mvm: d3: implement RSC command version 5") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c > index 0e97d5e6c644..6e3a63a5a75c 100644 > --- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c > +++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c > @@ -360,11 +360,11 @@ static void iwl_mvm_wowlan_get_rsc_v5_data(struct ieee80211_hw *hw, > if (sta) { > rsc = data->rsc->ucast_rsc; > } else { > - if (WARN_ON(data->gtks > ARRAY_SIZE(data->gtk_ids))) > + if (WARN_ON(data->gtks >= ARRAY_SIZE(data->gtk_ids))) > return; > data->gtk_ids[data->gtks] = key->keyidx; > rsc = data->rsc->mcast_rsc[data->gtks % 2]; > - if (WARN_ON(key->keyidx > > + if (WARN_ON(key->keyidx >= > ARRAY_SIZE(data->rsc->mcast_key_id_map))) > return; > data->rsc->mcast_key_id_map[key->keyidx] = data->gtks % 2; Thanks! Acked-by: Luca Coelho <luca@coelho.fi> -- Cheers, Luca.
On Thu, 2021-09-16 at 20:05 +0300, Kalle Valo wrote: > Dan Carpenter <dan.carpenter@oracle.com> writes: > > > These should be >= ARRAY_SIZE() instead of > ARRAY_SIZE() to prevent an > > out of bounds write on the next line. > > > > Fixes: 79e561f0f05a ("iwlwifi: mvm: d3: implement RSC command version 5") > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > I think I should take both patches to v5.15. Luca, do you agree? Ack? > > I assigned these to me on patchwork. Yes, please take them, thanks! -- Cheers, Luca.
Dan Carpenter <dan.carpenter@oracle.com> wrote: > These should be >= ARRAY_SIZE() instead of > ARRAY_SIZE() to prevent an > out of bounds write on the next line. > > Fixes: 79e561f0f05a ("iwlwifi: mvm: d3: implement RSC command version 5") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > Acked-by: Luca Coelho <luca@coelho.fi> 2 patches applied to wireless-drivers.git, thanks. 27a221f433b7 iwlwifi: mvm: d3: Fix off by ones in iwl_mvm_wowlan_get_rsc_v5_data() b6a46b4f6e4b iwlwifi: mvm: d3: missing unlock in iwl_mvm_wowlan_program_keys()
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c index 0e97d5e6c644..6e3a63a5a75c 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c @@ -360,11 +360,11 @@ static void iwl_mvm_wowlan_get_rsc_v5_data(struct ieee80211_hw *hw, if (sta) { rsc = data->rsc->ucast_rsc; } else { - if (WARN_ON(data->gtks > ARRAY_SIZE(data->gtk_ids))) + if (WARN_ON(data->gtks >= ARRAY_SIZE(data->gtk_ids))) return; data->gtk_ids[data->gtks] = key->keyidx; rsc = data->rsc->mcast_rsc[data->gtks % 2]; - if (WARN_ON(key->keyidx > + if (WARN_ON(key->keyidx >= ARRAY_SIZE(data->rsc->mcast_key_id_map))) return; data->rsc->mcast_key_id_map[key->keyidx] = data->gtks % 2;
These should be >= ARRAY_SIZE() instead of > ARRAY_SIZE() to prevent an out of bounds write on the next line. Fixes: 79e561f0f05a ("iwlwifi: mvm: d3: implement RSC command version 5") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)