From: Raja Mani <rmani@qca.qualcomm.com>
Date: Fri, 21 Sep 2012 09:38:54 +0000 (+0530)
Subject: ath6kl: Check for valid rate table index
X-Git-Tag: firefly_0821_release~3680^2~1480^2~17^2~198^2~13
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=d54601b92fbde2a7021a844e1373ba8c778cc0a3;p=firefly-linux-kernel-4.4.55.git

ath6kl: Check for valid rate table index

There are 28 items defined in rate table array 'wmi_rate_tbl'.
The rate table index (reply->rate_index) in ath6kl_wmi_bitrate_reply_rx()
func is not checked for the valid max limit index before accessing
rate table array. There may be some incidents to get memory crashes
without safe max check. Fix this.

Found this on code review.

Signed-off-by: Raja Mani <rmani@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
---

diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
index 64b81fd554b3..f3aeebb2fd42 100644
--- a/drivers/net/wireless/ath/ath6kl/wmi.c
+++ b/drivers/net/wireless/ath/ath6kl/wmi.c
@@ -1174,6 +1174,9 @@ static int ath6kl_wmi_bitrate_reply_rx(struct wmi *wmi, u8 *datap, int len)
 		rate = RATE_AUTO;
 	} else {
 		index = reply->rate_index & 0x7f;
+		if (WARN_ON_ONCE(index > (RATE_MCS_7_40 + 1)))
+			return -EINVAL;
+
 		sgi = (reply->rate_index & 0x80) ? 1 : 0;
 		rate = wmi_rate_tbl[index][sgi];
 	}