Alexey Kodanev <aleksei.kodanev@xxxxxxxxxxx> wrote:
> As a result of the execution of the inner while loop, the value
> of 'idx' can be equal to LINK_QUAL_MAX_RETRY_NUM. However, this
> is not checked after the loop and 'idx' is used to write the
> LINK_QUAL_MAX_RETRY_NUM size array 'lq_cmd->rs_table[idx]' below
> in the outer loop.
>
> The fix is to check the new value of 'idx' inside the nested loop,
> and break both loops if index equals the size. Checking it at the
> start is now pointless, so let's remove it.
>
> Detected using the static analysis tool - Svace.
>
> Fixes: be663ab67077 ("iwlwifi: split the drivers for agn and legacy devices 3945/4965")
> Signed-off-by: Alexey Kodanev <aleksei.kodanev@xxxxxxxxxxx>
Patch applied to wireless-next.git, thanks.
a8eb8e6f7159 wifi: iwlegacy: 4965: fix potential off-by-one overflow in il4965_rs_fill_link_cmd()
--
https://patchwork.kernel.org/project/linux-wireless/patch/20220608171614.28891-1-aleksei.kodanev@xxxxxxxxxxx/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
