On 09/20/2012 09:21 AM, rmani@xxxxxxxxxxxxxxxx wrote:
> From: Raja Mani <rmani@xxxxxxxxxxxxxxxx>
>
> There are 28 items defined in rate table array 'wmi_rate_tbl'.
> The rate table index (reply->rate_index) in ath6kl_wmi_bitrate_reply_rx()
> func is not checked for the valid max limit index before accessing
> rate table array. There may be some incidents to get memory crashes
> without safe max check. Fix this.
>
> Found this on code review.
>
> Signed-off-by: Raja Mani <rmani@xxxxxxxxxxxxxxxx>
> ---
> drivers/net/wireless/ath/ath6kl/wmi.c | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
> index d5263ff..666f56d 100644
> --- a/drivers/net/wireless/ath/ath6kl/wmi.c
> +++ b/drivers/net/wireless/ath/ath6kl/wmi.c
> @@ -1171,6 +1171,9 @@ static int ath6kl_wmi_bitrate_reply_rx(struct wmi *wmi, u8 *datap, int len)
> rate = RATE_AUTO;
> } else {
> index = reply->rate_index & 0x7f;
> + if (index > (RATE_MCS_7_40 + 1))
> + return -EINVAL;
Please add WARN_ON_ONCE() to catch this easily:
if (WARN_ON_ONCE(index > (RATE_MCS_7_40 + 1)))
return -EINVAL;
Kalle
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
