ral: rt2860: fix wcid2ni access/size issue

RT2860_WCID_MAX is supposed to describe the max STA index for wcid2ni, and was instead being used as the size -- off-by-one. rt2860_drain_stats_fifo was range-checking wcid only after accessing out-of-bounds potentially. Submitted by: Augustin Cavalier <waddlesplash@gmail.com> (basically) Obtained from: Haiku (58d16d9fe2d5a209cf22823359a8407d138e1a87) Differential Revision: 3 days
2019-08-06 20:21:57 +00:00 · 2019-08-06 20:21:57 +00:00 · 82bac68cdc
commit 82bac68cdc
parent 9cb069b552
2 changed files with 4 additions and 2 deletions
--- a/sys/dev/ral/rt2860.c
+++ b/sys/dev/ral/rt2860.c
@ -1092,10 +1092,12 @@ rt2860_drain_stats_fifo(struct rt2860_softc *sc)
 		DPRINTFN(4, ("tx stat 0x%08x\n", stat));

 		wcid = (stat >> RT2860_TXQ_WCID_SHIFT) & 0xff;
+		if (wcid > RT2860_WCID_MAX)
+			continue;
 		ni = sc->wcid2ni[wcid];

 		/* if no ACK was requested, no feedback is available */
-		if (!(stat & RT2860_TXQ_ACKREQ) || wcid == 0xff || ni == NULL)
+		if (!(stat & RT2860_TXQ_ACKREQ) || ni == NULL)
 			continue;

 		/* update per-STA AMRR stats */
--- a/sys/dev/ral/rt2860var.h
+++ b/sys/dev/ral/rt2860var.h
@ -142,7 +142,7 @@ struct rt2860_softc {
 #define RT2860_PCIE		(1 << 2)
 #define	RT2860_RUNNING		(1 << 3)

-	struct ieee80211_node		*wcid2ni[RT2860_WCID_MAX];
+	struct ieee80211_node		*wcid2ni[RT2860_WCID_MAX + 1];

 	struct rt2860_tx_ring		txq[6];
 	struct rt2860_rx_ring		rxq;