nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds

commit 1222a1601488 ("nl80211: Fix possible Spectre-v1 for CQM
RSSI thresholds") was incomplete and requires one more fix to
prevent accessing to rssi_thresholds[n] because user can control
rssi_thresholds[i] values to make i reach to n. For example,
rssi_thresholds = {-400, -300, -200, -100} when last is -34.

Cc: stable@vger.kernel.org
Fixes: 1222a1601488 ("nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Link: https://lore.kernel.org/r/20190908005653.17433-1-masashi.honma@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

1 files changed, 3 insertions, 1 deletions

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 0c7fa6004ffb..d21b1581a665 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -10805,9 +10805,11 @@ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
         hyst = wdev->cqm_config->rssi_hyst;
         n = wdev->cqm_config->n_rssi_thresholds;
 
-        for (i = 0; i < n; i++)
+        for (i = 0; i < n; i++) {
+                i = array_index_nospec(i, n);
                 if (last < wdev->cqm_config->rssi_thresholds[i])
                         break;
+        }
 
         low_index = i - 1;
         if (low_index >= 0) {