RE: [bug report] wifi: iwlwifi: support link_id in SESSION_PROTECTION cmd

["Korenblit, Miriam Rachel" <miriam.rachel.korenblit@xxxxxxxxx>]

Hi Dan 😊

Thanks for the update,
I'll fix it

Thanks,
Miri

Miri Korenblit | CCG | WCS | WCD
Office: +972 2 589-7724 | Cell Phone: +972 54 846 3803

-----Original Message-----
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx> 
Sent: Wednesday, October 25, 2023 09:51
To: Korenblit, Miriam Rachel <miriam.rachel.korenblit@xxxxxxxxx>
Cc: linux-wireless@xxxxxxxxxxxxxxx
Subject: [bug report] wifi: iwlwifi: support link_id in SESSION_PROTECTION cmd

Hello Miri Korenblit,

The patch 135065837310: "wifi: iwlwifi: support link_id in SESSION_PROTECTION cmd" from Oct 17, 2023 (linux-next), leads to the following Smatch static checker warning:

	drivers/net/wireless/intel/iwlwifi/mvm/time-event.c:705 iwl_mvm_get_session_prot_id()
	warn: unsigned 'link_id' is never less than zero.

drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
    693 static int iwl_mvm_get_session_prot_id(struct iwl_mvm *mvm,
    694                                        struct ieee80211_vif *vif,
    695                                        u32 link_id)
    696 {
    697         struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
    698         int ver = iwl_fw_lookup_cmd_ver(mvm->fw,
    699                                         WIDE_ID(MAC_CONF_GROUP,
    700                                                 SESSION_PROTECTION_CMD), 1);
    701 
    702         if (ver < 2)
    703                 return mvmvif->id;
    704 
--> 705         if (WARN(link_id < 0 || !mvmvif->link[link_id],

link_id can't be less than zero.  But the bugs are deeper than that.
In iwl_mvm_te_clear_data() we set:

	te_data->link_id = -1;

But here link_id is an u8 so really we're setting it to 255 instead of -1.  So that means that the mvmvif->link[link_id] is an out of bounds access.

And generally I know from the type that link_id is 0-255 but if it's more than 15 then it's an out of bounds access.  I couldn't figure out exactly where this is set so it's hard to tell if there are other out of bounds accesses as well.

    706                  "Invalid link ID for session protection: %u\n", link_id))
    707                 return -EINVAL;
    708 
    709         if (WARN(ieee80211_vif_is_mld(vif) &&
    710                  !(vif->active_links & BIT(link_id)),
    711                  "Session Protection on an inactive link: %u\n", link_id))
    712                 return -EINVAL;
    713 
    714         return mvmvif->link[link_id]->fw_link_id;
    715 }

regards,
dan carpenter
---------------------------------------------------------------------
A member of the Intel Corporation group of companies

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.