iwlwifi: prevent read outside array bounds

With EDCA and HCCA we have 16 potential tid values. This is accommodated by
mac80211, but iwlwifi only supports EDCA. With this implementation it is
thus possible for mac80211 to request a tid that will cause iwlwifi to read
outside array bounds. A similar problem exists if traffic is received in an
unsupported category.

We add error checking to catch these situations.

Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

1 files changed, 2 insertions, 0 deletions

diff --git a/drivers/net/wireless/iwlwifi/iwl3945-base.c b/drivers/net/wireless/iwlwifi/iwl3945-base.c
index e617411d0c5e..f339c5bd1fde 100644
--- a/drivers/net/wireless/iwlwifi/iwl3945-base.c
+++ b/drivers/net/wireless/iwlwifi/iwl3945-base.c
@@ -544,6 +544,8 @@ static int iwl3945_tx_skb(struct iwl_priv *priv, struct sk_buff *skb)
         if (ieee80211_is_data_qos(fc)) {
                 qc = ieee80211_get_qos_ctl(hdr);
                 tid = qc[0] & IEEE80211_QOS_CTL_TID_MASK;
+                if (unlikely(tid >= MAX_TID_COUNT))
+                        goto drop;
                 seq_number = priv->stations[sta_id].tid[tid].seq_number &
                                 IEEE80211_SCTL_SEQ;
                 hdr->seq_ctrl = cpu_to_le16(seq_number) |