iwlwifi: prevent read outside array bounds

With EDCA and HCCA we have 16 potential tid values. This is accommodated by mac80211, but iwlwifi only supports EDCA. With this implementation it is thus possible for mac80211 to request a tid that will cause iwlwifi to read outside array bounds. A similar problem exists if traffic is received in an unsupported category. We add error checking to catch these situations. Signed-off-by: Reinette Chatre <reinette.chatre@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
author: Reinette Chatre <reinette.chatre@intel.com> 2009-08-13 16:30:50 -0400
committer: John W. Linville <linville@tuxdriver.com> 2009-08-20 11:33:09 -0400
commit: e6a6cf4c42e0dc3541a63b5f0f88299f982d6704 (patch)
tree: 574aabd9f6e94079697da91b1ad9c8bad865f0c6 /drivers/net/wireless/iwlwifi
parent: a8b875e7dc80ff442698d8cf4f45ccce400a6a66 (diff)
3 files changed, 10 insertions, 0 deletions
diff --git a/drivers/net/wireless/iwlwifi/iwl-agn-rs.c b/drivers/net/wireless/iwlwifi/iwl-agn-rs.c
index 21331552ff2..1bd7cd4dd80 100644
--- a/drivers/net/wireless/iwlwifi/iwl-agn-rs.c
+++ b/drivers/net/wireless/iwlwifi/iwl-agn-rs.c
@@ -332,6 +332,9 @@ static u8 rs_tl_add_packet(struct iwl_lq_sta *lq_data,
        } else
                return MAX_TID_COUNT;
+        if (unlikely(tid >= TID_MAX_LOAD_COUNT))
+                return MAX_TID_COUNT;
        tl = &lq_data->load[tid];
        curr_time -= curr_time % TID_ROUND_VALUE;
diff --git a/drivers/net/wireless/iwlwifi/iwl-tx.c b/drivers/net/wireless/iwlwifi/iwl-tx.c
index 9b76bd41f21..7686fc72eb8 100644
--- a/drivers/net/wireless/iwlwifi/iwl-tx.c
+++ b/drivers/net/wireless/iwlwifi/iwl-tx.c
@@ -745,6 +745,8 @@ int iwl_tx_skb(struct iwl_priv *priv, struct sk_buff *skb)
        if (ieee80211_is_data_qos(fc)) {
                qc = ieee80211_get_qos_ctl(hdr);
                tid = qc[0] & IEEE80211_QOS_CTL_TID_MASK;
+                if (unlikely(tid >= MAX_TID_COUNT))
+                        goto drop_unlock;
                seq_number = priv->stations[sta_id].tid[tid].seq_number;
                seq_number &= IEEE80211_SCTL_SEQ;
                hdr->seq_ctrl = hdr->seq_ctrl &
@@ -1238,6 +1240,9 @@ int iwl_tx_agg_stop(struct iwl_priv *priv , const u8 *ra, u16 tid)
                return -EINVAL;
        }
+        if (unlikely(tid >= MAX_TID_COUNT))
+                return -EINVAL;
        if (likely(tid < ARRAY_SIZE(default_tid_to_tx_fifo)))
                tx_fifo_id = default_tid_to_tx_fifo[tid];
        else
diff --git a/drivers/net/wireless/iwlwifi/iwl3945-base.c b/drivers/net/wireless/iwlwifi/iwl3945-base.c
index e617411d0c5..f339c5bd1fd 100644
--- a/drivers/net/wireless/iwlwifi/iwl3945-base.c
+++ b/drivers/net/wireless/iwlwifi/iwl3945-base.c
@@ -544,6 +544,8 @@ static int iwl3945_tx_skb(struct iwl_priv *priv, struct sk_buff *skb)
        if (ieee80211_is_data_qos(fc)) {
                qc = ieee80211_get_qos_ctl(hdr);
                tid = qc[0] & IEEE80211_QOS_CTL_TID_MASK;
+                if (unlikely(tid >= MAX_TID_COUNT))
+                        goto drop;
                seq_number = priv->stations[sta_id].tid[tid].seq_number &
                                IEEE80211_SCTL_SEQ;
                hdr->seq_ctrl = cpu_to_le16(seq_number) |
author	Reinette Chatre <reinette.chatre@intel.com>	2009-08-13 16:30:50 -0400
committer	John W. Linville <linville@tuxdriver.com>	2009-08-20 11:33:09 -0400
commit	e6a6cf4c42e0dc3541a63b5f0f88299f982d6704 (patch)
tree	574aabd9f6e94079697da91b1ad9c8bad865f0c6 /drivers/net/wireless/iwlwifi
parent	a8b875e7dc80ff442698d8cf4f45ccce400a6a66 (diff)