[PATCH] wifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps()
Jeff Johnson
quic_jjohnson at quicinc.com
Tue Aug 29 22:34:38 PDT 2023
On 8/29/2023 7:07 PM, Baochen Qiang wrote:
> reg_cap.phy_id is extracted from WMI event and could be an unexpected value
> in case some errors happen. As a result out-of-bound write may occur to
> soc->hal_reg_cap. Fix it by validating reg_cap.phy_id before using it.
>
> This is found during code review.
>
> Compile tested only.
>
> Signed-off-by: Baochen Qiang <quic_bqiang at quicinc.com>
Acked-by: Jeff Johnson <quic_jjohnson at quicinc.com>
> ---
> drivers/net/wireless/ath/ath12k/wmi.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
> index ef0f3cf35cfd..a8a7fa9f71cf 100644
> --- a/drivers/net/wireless/ath/ath12k/wmi.c
> +++ b/drivers/net/wireless/ath/ath12k/wmi.c
> @@ -3876,6 +3876,10 @@ static int ath12k_wmi_ext_hal_reg_caps(struct ath12k_base *soc,
> ath12k_warn(soc, "failed to extract reg cap %d\n", i);
> return ret;
> }
> + if (reg_cap.phy_id >= MAX_RADIOS) {
> + ath12k_warn(soc, "unexpected phy id %u\n", reg_cap.phy_id);
> + return -EINVAL;
> + }
> soc->hal_reg_cap[reg_cap.phy_id] = reg_cap;
> }
> return 0;
>
> base-commit: a62b0aeb556839fb6abb9835874443b08fe95598
More information about the ath12k
mailing list