Christian Lamparter <chunkeey@xxxxxxxxx> writes: > On Wednesday, November 1, 2017 9:37:53 PM CET Sebastian Gottschall wrote: >> a additional array bounds check would be good > > Ah, about that: > > the bw variable in ath10k_htt_rx_h_rates() is extracted from info2 > in the following way [0]: > | bw = info2 & 3; > > the txrate.bw variable in ath10k_update_per_peer_tx_stats() is set by [1]: > | txrate.bw = ATH10K_HW_BW(peer_stats->flags); > > ATH10K_HW_BW is a macro defined as [2]: > | #define ATH10K_HW_BW(flags) (((flags) >> 3) & 0x3) > > In both cases the bandwidth values already are limited to 0-3 by > the "and 3" operation. Until someone changes that part of the code (and the firmware interface). IMHO a switch is safer as there we don't have any risk of out of bands access. -- Kalle Valo
