mac80211: fix possible out-of-bounds access

In the unlikely situation that the supplicant has negotiated
admission for the background AC (which it has no reason to as
it's not supposed to be requiring admission control to start
with, and we'd ignore such a requirement anyway), the loop
here may terminate with non_acm_ac == 4, which leads to an
array overrun.

Check this explicitly just for completeness.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>

1 files changed, 8 insertions, 4 deletions

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 8d426f637f58..7486f2dab4ba 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1672,11 +1672,15 @@ __ieee80211_sta_handle_tspec_ac_params(struct ieee80211_sub_if_data *sdata)
                              non_acm_ac++)
                                 if (!(sdata->wmm_acm & BIT(7 - 2 * non_acm_ac)))
                                         break;
-                        /* The loop will result in using BK even if it requires
-                         * admission control, such configuration makes no sense
-                         * and we have to transmit somehow - the AC selection
-                         * does the same thing.
+                        /* Usually the loop will result in using BK even if it
+                         * requires admission control, but such a configuration
+                         * makes no sense and we have to transmit somehow - the
+                         * AC selection does the same thing.
+                         * If we started out trying to downgrade from BK, then
+                         * the extra condition here might be needed.
                          */
+                        if (non_acm_ac >= IEEE80211_NUM_ACS)
+                                non_acm_ac = IEEE80211_AC_BK;
                         if (drv_conf_tx(local, sdata, ac,
                                         &sdata->tx_conf[non_acm_ac]))
                                 sdata_err(sdata,