Author: kevans
Date: Tue Aug 6 20:21:57 2019
New Revision: 350657
URL: https://svnweb.freebsd.org/changeset/base/350657
Log:
ral: rt2860: fix wcid2ni access/size issue
RT2860_WCID_MAX is supposed to describe the max STA index for wcid2ni, and
was instead being used as the size -- off-by-one.
rt2860_drain_stats_fifo was range-checking wcid only after accessing
out-of-bounds potentially.
Submitted by: Augustin Cavalier <waddlespl...@gmail.com> (basically)
Obtained from: Haiku (58d16d9fe2d5a209cf22823359a8407d138e1a87)
Differential Revision: 3 days
Modified:
head/sys/dev/ral/rt2860.c
head/sys/dev/ral/rt2860var.h
Modified: head/sys/dev/ral/rt2860.c
==============================================================================
--- head/sys/dev/ral/rt2860.c Tue Aug 6 20:13:28 2019 (r350656)
+++ head/sys/dev/ral/rt2860.c Tue Aug 6 20:21:57 2019 (r350657)
@@ -1092,10 +1092,12 @@ rt2860_drain_stats_fifo(struct rt2860_softc *sc)
DPRINTFN(4, ("tx stat 0x%08x\n", stat));
wcid = (stat >> RT2860_TXQ_WCID_SHIFT) & 0xff;
+ if (wcid > RT2860_WCID_MAX)
+ continue;
ni = sc->wcid2ni[wcid];
/* if no ACK was requested, no feedback is available */
- if (!(stat & RT2860_TXQ_ACKREQ) || wcid == 0xff || ni == NULL)
+ if (!(stat & RT2860_TXQ_ACKREQ) || ni == NULL)
continue;
/* update per-STA AMRR stats */
Modified: head/sys/dev/ral/rt2860var.h
==============================================================================
--- head/sys/dev/ral/rt2860var.h Tue Aug 6 20:13:28 2019
(r350656)
+++ head/sys/dev/ral/rt2860var.h Tue Aug 6 20:21:57 2019
(r350657)
@@ -142,7 +142,7 @@ struct rt2860_softc {
#define RT2860_PCIE (1 << 2)
#define RT2860_RUNNING (1 << 3)
- struct ieee80211_node *wcid2ni[RT2860_WCID_MAX];
+ struct ieee80211_node *wcid2ni[RT2860_WCID_MAX + 1];
struct rt2860_tx_ring txq[6];
struct rt2860_rx_ring rxq;
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
