iwlwifi: mvm: check for n_profiles validity in EWRD ACPI

When reading the profiles from the EWRD table in ACPI, we loop over
the data and set it into our internal table.  We use the number of
profiles specified in ACPI without checking its validity, so if the
ACPI table is corrupted and the number is larger than our array size,
we will try to make an out-of-bounds access.

Fix this by making sure the value specified in the ACPI table is
valid.

Fixes: aa18dab5f701 ("iwlwifi: mvm: add support for EWRD (Dynamic SAR) ACPI table")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
index 96d26b7499523ad0793202e329b25eff58dc8504..5020cc70714257e707096772d1cf7b36e3d0f1ce 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
@@ -699,8 +699,12 @@ static int iwl_mvm_sar_get_ewrd_table(struct iwl_mvm *mvm)
        enabled = !!(wifi_pkg->package.elements[1].integer.value);
        n_profiles = wifi_pkg->package.elements[2].integer.value;
 
-       /* in case of BIOS bug */
-       if (n_profiles <= 0) {
+       /*
+        * Check the validity of n_profiles.  The EWRD profiles start
+        * from index 1, so the maximum value allowed here is
+        * ACPI_SAR_PROFILES_NUM - 1.
+        */
+       if (n_profiles <= 0 || n_profiles >= ACPI_SAR_PROFILE_NUM) {
                ret = -EINVAL;
                goto out_free;
        }