On Tue, Nov 26, 2019 at 09:04:15AM +0100, Toke Høiland-Jørgensen wrote:
> Dan Carpenter <dan.carpenter@xxxxxxxxxx> writes:
>
> > The sband->bitrates[] array has "sband->n_bitrates" elements so this
> > check needs to be >= instead of > or we could read beyond the end of the
> > array.
> >
> > These values come from when we call mt76_register_device():
> >
> > ret = mt76_register_device(&dev->mt76, true, mt7603_rates,
> > ARRAY_SIZE(mt7603_rates));
> >
> > Here sband->bitrates[] is mt7603_rates[] and ->n_bitrates is the
> > ARRAY_SIZE()
> >
> > Fixes: 5ce09c1a7907 ("mt76: track rx airtime for airtime fairness and survey")
> > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> > ---
> > drivers/net/wireless/mediatek/mt76/airtime.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/net/wireless/mediatek/mt76/airtime.c b/drivers/net/wireless/mediatek/mt76/airtime.c
> > index 55116f395f9a..a4a785467748 100644
> > --- a/drivers/net/wireless/mediatek/mt76/airtime.c
> > +++ b/drivers/net/wireless/mediatek/mt76/airtime.c
> > @@ -242,7 +242,7 @@ u32 mt76_calc_rx_airtime(struct mt76_dev *dev, struct mt76_rx_status *status,
> > return 0;
> >
> > sband = dev->hw->wiphy->bands[status->band];
> > - if (!sband || status->rate_idx > sband->n_bitrates)
> > + if (!sband || status->rate_idx >= sband->n_bitrates)
> > return 0;
> >
> > rate = &sband->bitrates[status->rate_idx];
>
> This code has recently been ported to mac80211 (net/mac80211/airtime.c).
> It seems that the bug is also present there; care to send a patch for
> that as well? :)
Oh. Thanks for pointing that out. I actually saw the static checker
warning for that and ignored it thinking that it was the same code. :P
I will send a fix for it.
regards,
dan carpenter
