From: Eyal Shapira <eyal@wizery.com>
Date: Wed, 31 Dec 2014 15:58:23 +0000 (+0200)
Subject: iwlwifi: mvm: fix out of bounds access to tid_to_mac80211_ac
X-Git-Tag: firefly_0821_release~176^2~2456^2~25^2~2^2~6
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=a9dc5060bf3a32ac3dad472f15416054b92dc5b5;p=firefly-linux-kernel-4.4.55.git

iwlwifi: mvm: fix out of bounds access to tid_to_mac80211_ac

When tid_tspec was set to IWL_TID_NON_QOS (8) this led to an
out of bounds access to the tid_to_mac80211_ac array whose size
is 7. Fix this.

Signed-off-by: Eyal Shapira <eyalx.shapira@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
---

diff --git a/drivers/net/wireless/iwlwifi/mvm/tx.c b/drivers/net/wireless/iwlwifi/mvm/tx.c
index 4f15d9decc81..4333306ccdee 100644
--- a/drivers/net/wireless/iwlwifi/mvm/tx.c
+++ b/drivers/net/wireless/iwlwifi/mvm/tx.c
@@ -108,8 +108,12 @@ void iwl_mvm_set_tx_cmd(struct iwl_mvm *mvm, struct sk_buff *skb,
 			tx_flags &= ~TX_CMD_FLG_SEQ_CTL;
 	}
 
-	/* tid_tspec will default to 0 = BE when QOS isn't enabled */
-	ac = tid_to_mac80211_ac[tx_cmd->tid_tspec];
+	/* Default to 0 (BE) when tid_spec is set to IWL_TID_NON_QOS */
+	if (tx_cmd->tid_tspec < IWL_MAX_TID_COUNT)
+		ac = tid_to_mac80211_ac[tx_cmd->tid_tspec];
+	else
+		ac = tid_to_mac80211_ac[0];
+
 	tx_flags |= iwl_mvm_bt_coex_tx_prio(mvm, hdr, info, ac) <<
 			TX_CMD_FLG_BT_PRIO_POS;