From patchwork Wed Oct  3 03:13:50 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sriram R <srirrama@codeaurora.org>
X-Patchwork-Id: 10624227
Return-Path: 
 <ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 71C2015A6
	for <patchwork-ath10k@patchwork.kernel.org>;
 Wed,  3 Oct 2018 03:15:03 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 64E712842A
	for <patchwork-ath10k@patchwork.kernel.org>;
 Wed,  3 Oct 2018 03:15:03 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 558B828458; Wed,  3 Oct 2018 03:15:03 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=unavailable
	version=3.3.1
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id EC0E82842A
	for <patchwork-ath10k@patchwork.kernel.org>;
 Wed,  3 Oct 2018 03:15:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
	List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date:
	Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Owner; bh=73RLZU99IIK7h6BU9VR1NhzprWPgOBZvWPJXhh0k4Hk=; b=ey/
	vzbGEzfzIINnKxRM/cLk0C3JaBY4G/BE29+XjNmjAKFUxB4l8cGYcxC0t5jdKXb/L6OE27HcZDmcL
	mvVmi9gLAIGFjnifdMbxU92ckJUKkaPscumGzsnuD//lsZzxbUMT8IId4ZCoO4asX+2Gvjm93jqlr
	L9eAQlXDVT6CjzJkuPLMkZ0HMGSqTiKenNax/U/BxW6jjZVItN2AvYPdvL2TG7TzRrXzA5nMw3TNy
	HhzXiZr9Rpd35pxr2LrXo+dzp67GgTrxkcwwrF2j+UpKm5iyc2Yv/biNWd0f8//BvsKxoG+wlFkHL
	zMHWzBCGdHdSZnmXc9Hr8Ght522NQuQ==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux))
	id 1g7Xcn-0005Pe-1G; Wed, 03 Oct 2018 03:14:57 +0000
Received: from smtp.codeaurora.org ([198.145.29.96])
 by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux))
 id 1g7Xck-0005Op-00
 for ath10k@lists.infradead.org; Wed, 03 Oct 2018 03:14:55 +0000
Received: by smtp.codeaurora.org (Postfix, from userid 1000)
 id 390FA60BF4; Wed,  3 Oct 2018 03:14:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
 s=default; t=1538536483;
 bh=Q/epmxPfZWOSXm2yub+nB1Diosj1iyWeC8VD56qhZp0=;
 h=From:To:Cc:Subject:Date:From;
 b=Lck331Nde8gfm4evAXeRByD5WFd/hUxTZEUgpWZtlxVHiFE0EqR2PoFrTndsi1u/0
 dW9CEFLtRH4Gj0nrw+RcpN+9mhOfbJVgnJbpLYGQ/RZSw+wJCizQsccxw0GC8EUuSJ
 zvHIJvKJ0XOs5l2x7OLN9kFZ7n4rWi+RyzAimvn0=
Received: from checstp253621-lin.qualcomm.com
 (blr-c-bdr-fw-01_globalnat_allzones-outside.qualcomm.com [103.229.19.19])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
 (No client certificate requested)
 (Authenticated sender: srirrama@codeaurora.org)
 by smtp.codeaurora.org (Postfix) with ESMTPSA id 563AB60818;
 Wed,  3 Oct 2018 03:14:41 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
 s=default; t=1538536482;
 bh=Q/epmxPfZWOSXm2yub+nB1Diosj1iyWeC8VD56qhZp0=;
 h=From:To:Cc:Subject:Date:From;
 b=FF2JIuKGfLCUFVGsgGFTU9l6fEHMNlref13/XeLJQx+LlbyU65U48tWDRrFFAV6Oz
 6x6ryYme5ycbRudS+vF3QqcDacGOOPTIHNVKH/vb6IewTJ64wMRNKlT2RuI4V8U6Wi
 j8NMXc/bKe0RIsKCjirAkAp0+HsHEh46PMcRypzs=
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 563AB60818
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
 dmarc=none (p=none dis=none) header.from=codeaurora.org
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
 spf=none smtp.mailfrom=srirrama@codeaurora.org
From: Sriram R <srirrama@codeaurora.org>
To: ath10k@lists.infradead.org
Subject: [PATCH] ath10k: Fix possible out of bound access of ath10k_rates
 array
Date: Wed,  3 Oct 2018 08:43:50 +0530
Message-Id: <1538536430-6555-1-git-send-email-srirrama@codeaurora.org>
X-Mailer: git-send-email 2.7.4
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20181002_201454_076135_D3B616CE 
X-CRM114-Status: GOOD (  12.81  )
X-BeenThere: ath10k@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <ath10k.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/ath10k>,
 <mailto:ath10k-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/ath10k/>
List-Post: <mailto:ath10k@lists.infradead.org>
List-Help: <mailto:ath10k-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/ath10k>,
 <mailto:ath10k-request@lists.infradead.org?subject=subscribe>
Cc: linux-wireless@vger.kernel.org, Sriram R <srirrama@codeaurora.org>
MIME-Version: 1.0
Sender: "ath10k" <ath10k-bounces@lists.infradead.org>
Errors-To: 
 ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org
X-Virus-Scanned: ClamAV using ClamSMTP

While using 'ath10k_mac_get_rate_hw_value()' to obtain the hw value
from the passed bitrate, there is a chance of out of bound array access
when wrong bitrate is passed. This is fixed by comparing the bitrates
within the correct size of the ath10k_rates array.

Fixes commit f279294e9ee2 ("ath10k: add support for configuring management
packet rate")
(Also correction made to some indents used in the above commit)

Signed-off-by: Sriram R <srirrama@codeaurora.org>
---
 drivers/net/wireless/ath/ath10k/mac.c | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index 3933dd9..1f1c1c7 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -164,7 +164,7 @@ static int ath10k_mac_get_rate_hw_value(int bitrate)
 	if (ath10k_mac_bitrate_is_cck(bitrate))
 		hw_value_prefix = WMI_RATE_PREAMBLE_CCK << 6;
 
-	for (i = 0; i < sizeof(ath10k_rates); i++) {
+	for (i = 0; i < ARRAY_SIZE(ath10k_rates); i++) {
 		if (ath10k_rates[i].bitrate == bitrate)
 			return hw_value_prefix | ath10k_rates[i].hw_value;
 	}
@@ -5682,22 +5682,22 @@ static void ath10k_bss_info_changed(struct ieee80211_hw *hw,
 			return;
 		}
 
-	sband = ar->hw->wiphy->bands[def.chan->band];
-	basic_rate_idx = ffs(vif->bss_conf.basic_rates) - 1;
-	bitrate = sband->bitrates[basic_rate_idx].bitrate;
+		sband = ar->hw->wiphy->bands[def.chan->band];
+		basic_rate_idx = ffs(vif->bss_conf.basic_rates) - 1;
+		bitrate = sband->bitrates[basic_rate_idx].bitrate;
 
-	hw_rate_code = ath10k_mac_get_rate_hw_value(bitrate);
-	if (hw_rate_code < 0) {
-		ath10k_warn(ar, "bitrate not supported %d\n", bitrate);
-		mutex_unlock(&ar->conf_mutex);
-		return;
-	}
+		hw_rate_code = ath10k_mac_get_rate_hw_value(bitrate);
+		if (hw_rate_code < 0) {
+			ath10k_warn(ar, "bitrate not supported %d\n", bitrate);
+			mutex_unlock(&ar->conf_mutex);
+			return;
+		}
 
-	vdev_param = ar->wmi.vdev_param->mgmt_rate;
-	ret = ath10k_wmi_vdev_set_param(ar, arvif->vdev_id, vdev_param,
-					hw_rate_code);
-	if (ret)
-		ath10k_warn(ar, "failed to set mgmt tx rate %d\n", ret);
+		vdev_param = ar->wmi.vdev_param->mgmt_rate;
+		ret = ath10k_wmi_vdev_set_param(ar, arvif->vdev_id, vdev_param,
+						hw_rate_code);
+		if (ret)
+			ath10k_warn(ar, "failed to set mgmt tx rate %d\n", ret);
 	}
 
 	mutex_unlock(&ar->conf_mutex);