This patch aims to prevent reliably encountered buffer overflow in rtl92d_dm_txpower_tracking_callback_thermalmeter() caused by accessing 'ofdm_index[]' array of size 2 with index 'i' equal to 2, which in turn is possible if value of 'is2t' is 'true'.
The issue in question has been fixed by the following upstream patch that can be cleanly applied to 5.10 stable branch.
From: Ping-Ke Shih pkshih@realtek.com
commit 3f79e541593fecc2a90687eb7162e15a499caa33 upstream.
ofdm_index[] is used to indicate how many power compensation is needed to current thermal value. For internal PA module or 2.4G band, the min_index is different from other cases.
This issue originally is reported by Dan. He found the size of ofdm_index[] is 2, but access index 'i' may be equal to 2 if 'rf' is 2 in case of 'is2t'.
In fact, the chunk of code is added to wrong place, so move it back to proper place, and then power compensation and buffer overflow are fixed.
Reported-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Ping-Ke Shih pkshih@realtek.com Signed-off-by: Kalle Valo kvalo@codeaurora.org Link: https://lore.kernel.org/r/20201207031903.7599-1-pkshih@realtek.com Signed-off-by: Nikita Zhandarovich n.zhandarovich@fintech.ru --- drivers/net/wireless/realtek/rtlwifi/rtl8192de/dm.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/dm.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/dm.c index b3f25a228532..6cc9c7649eda 100644 --- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/dm.c +++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/dm.c @@ -986,18 +986,19 @@ static void rtl92d_dm_txpower_tracking_callback_thermalmeter( rtlpriv->dm.cck_index); } for (i = 0; i < rf; i++) { - if (ofdm_index[i] > OFDM_TABLE_SIZE_92D - 1) + if (ofdm_index[i] > OFDM_TABLE_SIZE_92D - 1) { ofdm_index[i] = OFDM_TABLE_SIZE_92D - 1; - else if (ofdm_index[i] < ofdm_min_index) + } else if (internal_pa || + rtlhal->current_bandtype == BAND_ON_2_4G) { + if (ofdm_index[i] < ofdm_min_index_internal_pa) + ofdm_index[i] = ofdm_min_index_internal_pa; + } else if (ofdm_index[i] < ofdm_min_index) { ofdm_index[i] = ofdm_min_index; + } } if (rtlhal->current_bandtype == BAND_ON_2_4G) { if (cck_index > CCK_TABLE_SIZE - 1) { cck_index = CCK_TABLE_SIZE - 1; - } else if (internal_pa || - rtlhal->current_bandtype == BAND_ON_2_4G) { - if (ofdm_index[i] < ofdm_min_index_internal_pa) - ofdm_index[i] = ofdm_min_index_internal_pa; } else if (cck_index < 0) { cck_index = 0; }
linux-stable-mirror@lists.linaro.org