wifi: iwlwifi: mvm: Validate tid is in valid range before using it (aedb2b38) · Commits · EulixOS / Software / Kernel

drivers/net/wireless/intel/iwlwifi/mvm/rx.c

+7 −3

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
		/*
		* Copyright (C) 2012-2014, 2018-2022 Intel Corporation
		* Copyright (C) 2012-2014, 2018-2023 Intel Corporation
		* Copyright (C) 2013-2015 Intel Mobile Communications GmbH
		* Copyright (C) 2016-2017 Intel Deutschland GmbH
		*/
		@@ -213,8 +213,12 @@ static void iwl_mvm_rx_handle_tcm(struct iwl_mvm *mvm,
		};
		u16 thr;

		if (ieee80211_is_data_qos(hdr->frame_control))
		ac = tid_to_mac80211_ac[ieee80211_get_tid(hdr)];
		if (ieee80211_is_data_qos(hdr->frame_control)) {
		u8 tid = ieee80211_get_tid(hdr);

		if (tid < IWL_MAX_TID_COUNT)
		ac = tid_to_mac80211_ac[tid];
		}

		mvmsta = iwl_mvm_sta_from_mac80211(sta);
		mac = mvmsta->mac_id_n_color & FW_CTXT_ID_MSK;

+6 −3

Original line number	Diff line number	Diff line
		@@ -484,7 +484,7 @@ static void iwl_mvm_rx_csum(struct iwl_mvm *mvm,
		}

		/*
		* returns true if a packet is a duplicate and should be dropped.
		* returns true if a packet is a duplicate or invalid tid and should be dropped.
		* Updates AMSDU PN tracking info
		*/
		static bool iwl_mvm_is_dup(struct ieee80211_sta *sta, int queue,
		@@ -513,11 +513,14 @@ static bool iwl_mvm_is_dup(struct ieee80211_sta *sta, int queue,
		return false;
		}

		if (ieee80211_is_data_qos(hdr->frame_control))
		if (ieee80211_is_data_qos(hdr->frame_control)) {
		/* frame has qos control */
		tid = ieee80211_get_tid(hdr);
		else
		if (tid >= IWL_MAX_TID_COUNT)
		return true;
		} else {
		tid = IWL_MAX_TID_COUNT;
		}

		/* If this wasn't a part of an A-MSDU the sub-frame index will be 0 */
		sub_frame_idx = desc->amsdu_info &