Commit aa796f12 authored by Lorenzo Bianconi's avatar Lorenzo Bianconi Committed by Felix Fietkau
Browse files

mt76: mt7915: fix unbounded shift in mt7915_mcu_beacon_mbss 



Fix the following smatch static checker warning:
	drivers/net/wireless/mediatek/mt76/mt7915/mcu.c:1872 mt7915_mcu_beacon_mbss()
	error: undefined (user controlled) shift '(((1))) << (data[2])'

Rely on mac80211 definitions for ieee80211_bssid_index subelement.

Fixes: 6b7f9aff ("mt76: mt7915: introduce 802.11ax multi-bss support")
Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
parent 5beadb27

drivers/net/wireless/mediatek/mt76/mt7915/mcu.c

+13 −7
Original line number Diff line number Diff line
@@ -1854,7 +1854,8 @@ mt7915_mcu_beacon_mbss(struct sk_buff *rskb, struct sk_buff *skb, 
			continue;



		for_each_element(sub_elem, elem->data + 1, elem->datalen - 1) {

			const u8 *data;

			const struct ieee80211_bssid_index *idx;

			const u8 *idx_ie;



			if (sub_elem->id || sub_elem->datalen < 4)

				continue; /* not a valid BSS profile */
@@ -1862,14 +1863,19 @@ mt7915_mcu_beacon_mbss(struct sk_buff *rskb, struct sk_buff *skb, 
			/* Find WLAN_EID_MULTI_BSSID_IDX

			 * in the merged nontransmitted profile

			 */

			data = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX,

			idx_ie = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX,

						  sub_elem->data,

						  sub_elem->datalen);

			if (!data || data[1] < 1 || !data[2])

			if (!idx_ie || idx_ie[1] < sizeof(*idx))

				continue;



			mbss->offset[data[2]] = cpu_to_le16(data - skb->data);

			mbss->bitmap |= cpu_to_le32(BIT(data[2]));

			idx = (void *)(idx_ie + 2);

			if (!idx->bssid_index || idx->bssid_index > 31)

				continue;



			mbss->offset[idx->bssid_index] =

				cpu_to_le16(idx_ie - skb->data);

			mbss->bitmap |= cpu_to_le32(BIT(idx->bssid_index));

		}

	}

}