In the il_process_add_sta_resp function, the index sta_id in
il->stations[sta_id] is not validated, which may lead to memory
corruption if the sta_id index is out of bounds.
Fixes: 0cdc21363cc2 ("iwlegacy: merge common .c files")
Signed-off-by: Chen Yufeng <chenyufeng@xxxxxxxxx>
Reviewed-by: Stanislaw Gruszka <stf_xl@xxxxx>
---
Changes in v2:
- Add header file commands.h to get IL_STATION_COUNT
- move the validation of sta_id to il_process_add_sta_resp
drivers/net/wireless/intel/iwlegacy/common.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/intel/iwlegacy/common.c b/drivers/net/wireless/intel/iwlegacy/common.c
index b7bd3ec4cc50..2840d0935650 100644
--- a/drivers/net/wireless/intel/iwlegacy/common.c
+++ b/drivers/net/wireless/intel/iwlegacy/common.c
@@ -22,6 +22,7 @@
#include <net/mac80211.h>
#include "common.h"
+#include "commands.h"
int
_il_poll_bit(struct il_priv *il, u32 addr, u32 bits, u32 mask, int timeout)
@@ -1766,6 +1767,11 @@ il_process_add_sta_resp(struct il_priv *il, struct il_addsta_cmd *addsta,
IL_ERR("Bad return from C_ADD_STA (0x%08X)\n", pkt->hdr.flags);
return ret;
}
+
+ if (sta_id >= IL_STATION_COUNT) {
+ IL_ERR(il, "invalid sta_id %u", sta_id);
+ return -EINVAL;
+ }
D_INFO("Processing response for adding station %u\n", sta_id);
--
2.34.1
