wifi: mt76: mt7925: fix off by one in mt7925_load_clc()
BugLink: https://bugs.launchpad.net/bugs/2111953 [ Upstream commit 08fa656c91fd5fdf47ba393795b9c0d1e97539ed ] This comparison should be >= instead of > to prevent an out of bounds read and write. Fixes: 9679ca7326e5 ("wifi: mt76: mt7925: fix a potential array-index-out-of-bounds issue for clc") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Link: https://patch.msgid.link/84bf5dd2-2fe3-4410-a7af-ae841e41082a@stanley.mountain Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: Sasha Levin <sashal@kernel.org> CVE-2024-57990 Signed-off-by: Manuel Diewald <manuel.diewald@canonical.com> Signed-off-by: Mehmet Basaran <mehmet.basaran@canonical.com>
This commit is contained in:
committed by
Mehmet Basaran
parent
31190e5cbf
commit
2f47402ee4
@@ -613,7 +613,7 @@ static int mt7925_load_clc(struct mt792x_dev *dev, const char *fw_name)
|
||||
for (offset = 0; offset < len; offset += le32_to_cpu(clc->len)) {
|
||||
clc = (const struct mt7925_clc *)(clc_base + offset);
|
||||
|
||||
if (clc->idx > ARRAY_SIZE(phy->clc))
|
||||
if (clc->idx >= ARRAY_SIZE(phy->clc))
|
||||
break;
|
||||
|
||||
/* do not init buf again if chip reset triggered */
|
||||
|
||||
Reference in New Issue
Block a user