Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.19 / 5a277e5b8179117c9e2544580c1e2ebc297a699d^! / .
commit5a277e5b8179117c9e2544580c1e2ebc297a699d[log] [tgz]
authorDan Carpenter <dan.carpenter@oracle.com>Thu Aug 13 17:13:15 2020 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Thu Oct 29 09:55:05 2020 +0100
tree91e2fcc489132257d3d33f8a4fa4576c7c97997b
parentaea63181b6fcb6b9ccde1ada9ea51be19c4015af [diff]
ath6kl: prevent potential array overflow in ath6kl_add_new_sta()

[ Upstream commit 54f9ab7b870934b70e5a21786d951fbcf663970f ]

The value for "aid" comes from skb->data so Smatch marks it as
untrusted.  If it's invalid then it can result in an out of bounds array
access in ath6kl_add_new_sta().

Fixes: 572e27c00c9d ("ath6kl: Fix AP mode connect event parsing and TIM updates")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200813141315.GB457408@mwanda
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/net/wireless/ath/ath6kl/main.c b/drivers/net/wireless/ath/ath6kl/main.c
index 0c61dba..702c476 100644
--- a/drivers/net/wireless/ath/ath6kl/main.c
+++ b/drivers/net/wireless/ath/ath6kl/main.c

@@ -429,6 +429,9 @@
 
 	ath6kl_dbg(ATH6KL_DBG_TRC, "new station %pM aid=%d\n", mac_addr, aid);
 
+	if (aid < 1 || aid > AP_MAX_NUM_STA)
+		return;
+
 	if (assoc_req_len > sizeof(struct ieee80211_hdr_3addr)) {
 		struct ieee80211_mgmt *mgmt =
 			(struct ieee80211_mgmt *) assoc_info;