mwifiex: add a bounds check in mwifiex_process_sta_rx_packet()

Smatch complains that "local_rx_pd->priority" can't be trusted because it comes from skb->data and it can go up to 255 instead of being capped in the 0-7 range. A few lines earlier, on the other side of the if statement, we cap priority so it seems harmless to add a bounds check here as well. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

mwifiex: add a bounds check in mwifiex_process_sta_rx_packet()
Smatch complains that "local_rx_pd->priority" can't be trusted because it comes from skb->data and it can go up to 255 instead of being capped in the 0-7 range. A few lines earlier, on the other side of the if statement, we cap priority so it seems harmless to add a bounds check here as well. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2cd2b424 · Dan Carpenter · Kalle Valo · 003b686a · 2cd2b424
Commit 2cd2b424 authored Apr 02, 2019 by Dan Carpenter Committed by Kalle Valo Apr 04, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

drivers/net/wireless/marvell/mwifiex/sta_rx.c drivers/net/wireless/marvell/mwifiex/sta_rx.c +2 -1

No files found.
--- a/drivers/net/wireless/marvell/mwifiex/sta_rx.c
+++ b/drivers/net/wireless/marvell/mwifiex/sta_rx.c
@@ -250,7 +250,8 @@ int mwifiex_process_sta_rx_packet(struct mwifiex_private *priv,
 							     local_rx_pd->nf);
 		}
 	} else {
-		if (rx_pkt_type != PKT_TYPE_BAR)
+		if (rx_pkt_type != PKT_TYPE_BAR &&
+		    local_rx_pd->priority < MAX_NUM_TID)
 			priv->rx_seq[local_rx_pd->priority] = seq_num;
 		memcpy(ta, priv->curr_bss_params.bss_descriptor.mac_address,
 		       ETH_ALEN);