diff mbox series

[1/2] iwlwifi: mvm: d3: Fix off by ones in iwl_mvm_wowlan_get_rsc_v5_data()

Message ID 20210831081802.GA9846@kili (mailing list archive)
State Accepted
Commit 27a221f433b7ac6604845b09696e60e803972d3c
Delegated to: Kalle Valo
Headers show
Series [1/2] iwlwifi: mvm: d3: Fix off by ones in iwl_mvm_wowlan_get_rsc_v5_data() | expand

Commit Message

Dan Carpenter Aug. 31, 2021, 8:18 a.m. UTC
These should be >= ARRAY_SIZE() instead of > ARRAY_SIZE() to prevent an
out of bounds write on the next line.

Fixes: 79e561f0f05a ("iwlwifi: mvm: d3: implement RSC command version 5")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Kalle Valo Sept. 16, 2021, 5:05 p.m. UTC | #1
Dan Carpenter <dan.carpenter@oracle.com> writes:

> These should be >= ARRAY_SIZE() instead of > ARRAY_SIZE() to prevent an
> out of bounds write on the next line.
>
> Fixes: 79e561f0f05a ("iwlwifi: mvm: d3: implement RSC command version 5")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

I think I should take both patches to v5.15. Luca, do you agree? Ack?

I assigned these to me on patchwork.
Luca Coelho Sept. 17, 2021, 6:23 a.m. UTC | #2
On Tue, 2021-08-31 at 11:18 +0300, Dan Carpenter wrote:
> These should be >= ARRAY_SIZE() instead of > ARRAY_SIZE() to prevent an
> out of bounds write on the next line.
> 
> Fixes: 79e561f0f05a ("iwlwifi: mvm: d3: implement RSC command version 5")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>  drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
> index 0e97d5e6c644..6e3a63a5a75c 100644
> --- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
> +++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
> @@ -360,11 +360,11 @@ static void iwl_mvm_wowlan_get_rsc_v5_data(struct ieee80211_hw *hw,
>  	if (sta) {
>  		rsc = data->rsc->ucast_rsc;
>  	} else {
> -		if (WARN_ON(data->gtks > ARRAY_SIZE(data->gtk_ids)))
> +		if (WARN_ON(data->gtks >= ARRAY_SIZE(data->gtk_ids)))
>  			return;
>  		data->gtk_ids[data->gtks] = key->keyidx;
>  		rsc = data->rsc->mcast_rsc[data->gtks % 2];
> -		if (WARN_ON(key->keyidx >
> +		if (WARN_ON(key->keyidx >=
>  				ARRAY_SIZE(data->rsc->mcast_key_id_map)))
>  			return;
>  		data->rsc->mcast_key_id_map[key->keyidx] = data->gtks % 2;

Thanks!

Acked-by: Luca Coelho <luca@coelho.fi>

--
Cheers,
Luca.
Luca Coelho Sept. 17, 2021, 6:25 a.m. UTC | #3
On Thu, 2021-09-16 at 20:05 +0300, Kalle Valo wrote:
> Dan Carpenter <dan.carpenter@oracle.com> writes:
> 
> > These should be >= ARRAY_SIZE() instead of > ARRAY_SIZE() to prevent an
> > out of bounds write on the next line.
> > 
> > Fixes: 79e561f0f05a ("iwlwifi: mvm: d3: implement RSC command version 5")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> I think I should take both patches to v5.15. Luca, do you agree? Ack?
> 
> I assigned these to me on patchwork.

Yes, please take them, thanks!

--
Cheers,
Luca.
Kalle Valo Sept. 19, 2021, 2:34 p.m. UTC | #4
Dan Carpenter <dan.carpenter@oracle.com> wrote:

> These should be >= ARRAY_SIZE() instead of > ARRAY_SIZE() to prevent an
> out of bounds write on the next line.
> 
> Fixes: 79e561f0f05a ("iwlwifi: mvm: d3: implement RSC command version 5")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> Acked-by: Luca Coelho <luca@coelho.fi>

2 patches applied to wireless-drivers.git, thanks.

27a221f433b7 iwlwifi: mvm: d3: Fix off by ones in iwl_mvm_wowlan_get_rsc_v5_data()
b6a46b4f6e4b iwlwifi: mvm: d3: missing unlock in iwl_mvm_wowlan_program_keys()
diff mbox series

Patch

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
index 0e97d5e6c644..6e3a63a5a75c 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
@@ -360,11 +360,11 @@  static void iwl_mvm_wowlan_get_rsc_v5_data(struct ieee80211_hw *hw,
 	if (sta) {
 		rsc = data->rsc->ucast_rsc;
 	} else {
-		if (WARN_ON(data->gtks > ARRAY_SIZE(data->gtk_ids)))
+		if (WARN_ON(data->gtks >= ARRAY_SIZE(data->gtk_ids)))
 			return;
 		data->gtk_ids[data->gtks] = key->keyidx;
 		rsc = data->rsc->mcast_rsc[data->gtks % 2];
-		if (WARN_ON(key->keyidx >
+		if (WARN_ON(key->keyidx >=
 				ARRAY_SIZE(data->rsc->mcast_key_id_map)))
 			return;
 		data->rsc->mcast_key_id_map[key->keyidx] = data->gtks % 2;