Smatch complains that status->band comes from the skb->data so it
cannot be trusted. It's a u8 so it can be in the 0-255 range but the
rx->local->hw.wiphy->bands[] array only has 6 elements.
Fixes: 1d8d3dec5fbb ("mac80211: handle SMPS action frames")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
net/mac80211/rx.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 93680af62c47..9b0cf9e3b7bd 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -3287,6 +3287,9 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
if (len < IEEE80211_MIN_ACTION_SIZE)
return RX_DROP_UNUSABLE;
+ if (status->band >= NUM_NL80211_BANDS)
+ goto invalid;
+
if (!rx->sta && mgmt->u.action.category != WLAN_CATEGORY_PUBLIC &&
mgmt->u.action.category != WLAN_CATEGORY_SELF_PROTECTED &&
mgmt->u.action.category != WLAN_CATEGORY_SPECTRUM_MGMT)
--
2.20.1
