iwlwifi: tighten boundary checks

The driver assumes certain sizes and lengths aren't crossed in some
places.  Make sure this indeed happens.

Found by Klocwork.

Signed-off-by: Liad Kaufman <liad.kaufman@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>

diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
index 5f16879ab26adb2a1b8e69bcb4779c1c1f34bcb3..56e99b5661f7608f32760578fe184bf2dff0aa05 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
@@ -835,6 +835,8 @@ _iwl_fw_error_dump(struct iwl_fw_runtime *fwrt,
        if (!fwrt->trans->cfg->dccm_offset || !fwrt->trans->cfg->dccm_len) {
                const struct fw_img *img;
 
+               if (fwrt->cur_fw_img >= IWL_UCODE_TYPE_MAX)
+                       return NULL;
                img = &fwrt->fw->img[fwrt->cur_fw_img];
                sram_ofs = img->sec[IWL_UCODE_SECTION_DATA].offset;
                sram_len = img->sec[IWL_UCODE_SECTION_DATA].len;

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
index 2adef6e3e0ac0039d39b07080df02ba2c8de1e6d..ac62eb8c4b36d56848f32ae9df6525427a7843a9 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
@@ -1024,7 +1024,12 @@ static void iwl_mvm_tx_airtime(struct iwl_mvm *mvm,
                               int airtime)
 {
        int mac = mvmsta->mac_id_n_color & FW_CTXT_ID_MSK;
-       struct iwl_mvm_tcm_mac *mdata = &mvm->tcm.data[mac];
+       struct iwl_mvm_tcm_mac *mdata;
+
+       if (mac >= NUM_MAC_INDEX_DRIVER)
+               return;
+
+       mdata = &mvm->tcm.data[mac];
 
        if (mvm->tcm.paused)
                return;
@@ -1035,14 +1040,21 @@ static void iwl_mvm_tx_airtime(struct iwl_mvm *mvm,
        mdata->tx.airtime += airtime;
 }
 
-static void iwl_mvm_tx_pkt_queued(struct iwl_mvm *mvm,
-                                 struct iwl_mvm_sta *mvmsta, int tid)
+static int iwl_mvm_tx_pkt_queued(struct iwl_mvm *mvm,
+                                struct iwl_mvm_sta *mvmsta, int tid)
 {
        u32 ac = tid_to_mac80211_ac[tid];
        int mac = mvmsta->mac_id_n_color & FW_CTXT_ID_MSK;
-       struct iwl_mvm_tcm_mac *mdata = &mvm->tcm.data[mac];
+       struct iwl_mvm_tcm_mac *mdata;
+
+       if (mac >= NUM_MAC_INDEX_DRIVER)
+               return -EINVAL;
+
+       mdata = &mvm->tcm.data[mac];
 
        mdata->tx.pkts[ac]++;
+
+       return 0;
 }
 
 /*
@@ -1162,7 +1174,9 @@ static int iwl_mvm_tx_mpdu(struct iwl_mvm *mvm, struct sk_buff *skb,
 
        spin_unlock(&mvmsta->lock);
 
-       iwl_mvm_tx_pkt_queued(mvm, mvmsta, tid == IWL_MAX_TID_COUNT ? 0 : tid);
+       if (iwl_mvm_tx_pkt_queued(mvm, mvmsta,
+                                 tid == IWL_MAX_TID_COUNT ? 0 : tid))
+               goto drop;
 
        return 0;
 

diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c b/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
index 156ca1b1f621a08a5dc18956791a62adbc80e9df..af2791502b7db5a1838101c9f2e8c30e250137d2 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
@@ -214,7 +214,11 @@ static int iwl_pcie_gen2_set_tb(struct iwl_trans *trans,
 {
        struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
        int idx = iwl_pcie_gen2_get_num_tbs(trans, tfd);
-       struct iwl_tfh_tb *tb = &tfd->tbs[idx];
+       struct iwl_tfh_tb *tb;
+
+       if (WARN_ON(idx >= IWL_NUM_OF_TBS))
+               return -EINVAL;
+       tb = &tfd->tbs[idx];
 
        /* Each TFD can point to a maximum max_tbs Tx buffers */
        if (le16_to_cpu(tfd->num_tbs) >= trans_pcie->max_tbs) {