Commit 162b22c9 authored by Liad Kaufman's avatar Liad Kaufman Committed by Luca Coelho
Browse files

iwlwifi: tighten boundary checks 



The driver assumes certain sizes and lengths aren't crossed in some
places.  Make sure this indeed happens.

Found by Klocwork.

Signed-off-by: default avatarLiad Kaufman <liad.kaufman@intel.com>
Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
parent 45dc7ba4

drivers/net/wireless/intel/iwlwifi/fw/dbg.c

+2 −0
Original line number Original line Diff line number Diff line
@@ -835,6 +835,8 @@ _iwl_fw_error_dump(struct iwl_fw_runtime *fwrt, 
	if (!fwrt->trans->cfg->dccm_offset || !fwrt->trans->cfg->dccm_len) {

	if (!fwrt->trans->cfg->dccm_offset || !fwrt->trans->cfg->dccm_len) {

		const struct fw_img *img;

		const struct fw_img *img;





		if (fwrt->cur_fw_img >= IWL_UCODE_TYPE_MAX)

			return NULL;

		img = &fwrt->fw->img[fwrt->cur_fw_img];

		img = &fwrt->fw->img[fwrt->cur_fw_img];

		sram_ofs = img->sec[IWL_UCODE_SECTION_DATA].offset;

		sram_ofs = img->sec[IWL_UCODE_SECTION_DATA].offset;

		sram_len = img->sec[IWL_UCODE_SECTION_DATA].len;

		sram_len = img->sec[IWL_UCODE_SECTION_DATA].len;

drivers/net/wireless/intel/iwlwifi/mvm/tx.c

+19 −5
Original line number Original line Diff line number Diff line
@@ -1024,7 +1024,12 @@ static void iwl_mvm_tx_airtime(struct iwl_mvm *mvm, 
			       int airtime)

			       int airtime)

{

{

	int mac = mvmsta->mac_id_n_color & FW_CTXT_ID_MSK;

	int mac = mvmsta->mac_id_n_color & FW_CTXT_ID_MSK;

	struct iwl_mvm_tcm_mac *mdata = &mvm->tcm.data[mac];

	struct iwl_mvm_tcm_mac *mdata;



	if (mac >= NUM_MAC_INDEX_DRIVER)

		return;



	mdata = &mvm->tcm.data[mac];





	if (mvm->tcm.paused)

	if (mvm->tcm.paused)

		return;

		return;
@@ -1035,14 +1040,21 @@ static void iwl_mvm_tx_airtime(struct iwl_mvm *mvm, 
	mdata->tx.airtime += airtime;

	mdata->tx.airtime += airtime;

}

}





static void iwl_mvm_tx_pkt_queued(struct iwl_mvm *mvm,

static int iwl_mvm_tx_pkt_queued(struct iwl_mvm *mvm,

				 struct iwl_mvm_sta *mvmsta, int tid)

				 struct iwl_mvm_sta *mvmsta, int tid)

{

{

	u32 ac = tid_to_mac80211_ac[tid];

	u32 ac = tid_to_mac80211_ac[tid];

	int mac = mvmsta->mac_id_n_color & FW_CTXT_ID_MSK;

	int mac = mvmsta->mac_id_n_color & FW_CTXT_ID_MSK;

	struct iwl_mvm_tcm_mac *mdata = &mvm->tcm.data[mac];

	struct iwl_mvm_tcm_mac *mdata;



	if (mac >= NUM_MAC_INDEX_DRIVER)

		return -EINVAL;



	mdata = &mvm->tcm.data[mac];





	mdata->tx.pkts[ac]++;

	mdata->tx.pkts[ac]++;



	return 0;

}

}





/*

/*
@@ -1162,7 +1174,9 @@ static int iwl_mvm_tx_mpdu(struct iwl_mvm *mvm, struct sk_buff *skb, 




	spin_unlock(&mvmsta->lock);

	spin_unlock(&mvmsta->lock);





	iwl_mvm_tx_pkt_queued(mvm, mvmsta, tid == IWL_MAX_TID_COUNT ? 0 : tid);

	if (iwl_mvm_tx_pkt_queued(mvm, mvmsta,

				  tid == IWL_MAX_TID_COUNT ? 0 : tid))

		goto drop;





	return 0;

	return 0;

drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c

+5 −1
Original line number Original line Diff line number Diff line
@@ -214,7 +214,11 @@ static int iwl_pcie_gen2_set_tb(struct iwl_trans *trans, 
{

{

	struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);

	struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);

	int idx = iwl_pcie_gen2_get_num_tbs(trans, tfd);

	int idx = iwl_pcie_gen2_get_num_tbs(trans, tfd);

	struct iwl_tfh_tb *tb = &tfd->tbs[idx];

	struct iwl_tfh_tb *tb;



	if (WARN_ON(idx >= IWL_NUM_OF_TBS))

		return -EINVAL;

	tb = &tfd->tbs[idx];





	/* Each TFD can point to a maximum max_tbs Tx buffers */

	/* Each TFD can point to a maximum max_tbs Tx buffers */

	if (le16_to_cpu(tfd->num_tbs) >= trans_pcie->max_tbs) {

	if (le16_to_cpu(tfd->num_tbs) >= trans_pcie->max_tbs) {