git.baikalelectronics.ru Git - kernel.git/commit

author	Alexey Kodanev <aleksei.kodanev@bell-sw.com>
	Wed, 8 Jun 2022 17:16:14 +0000 (20:16 +0300)
committer	Kalle Valo <kvalo@kernel.org>
	Tue, 21 Jun 2022 06:13:07 +0000 (09:13 +0300)
commit	d52d82d885f81008271b325bfef85ff1ac80f567
tree	f50fdc427d942a4fc261b61b8d217c29e457e22d	tree \| snapshot
parent	7e55b6101cd4c16282bc45a532eae450f6fcde95	commit \| diff

wifi: iwlegacy: 4965: fix potential off-by-one overflow in il4965_rs_fill_link_cmd()

As a result of the execution of the inner while loop, the value
of 'idx' can be equal to LINK_QUAL_MAX_RETRY_NUM. However, this
is not checked after the loop and 'idx' is used to write the
LINK_QUAL_MAX_RETRY_NUM size array 'lq_cmd->rs_table[idx]' below
in the outer loop.

The fix is to check the new value of 'idx' inside the nested loop,
and break both loops if index equals the size. Checking it at the
start is now pointless, so let's remove it.

Detected using the static analysis tool - Svace.

Fixes: 92be5c71117b ("iwlwifi: split the drivers for agn and legacy devices 3945/4965")
Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220608171614.28891-1-aleksei.kodanev@bell-sw.com