wifi: mt76: mt7925: fix off by one in mt7925_load_clc()

BugLink: https://bugs.launchpad.net/bugs/2111953

[ Upstream commit 08fa656c91fd5fdf47ba393795b9c0d1e97539ed ]

This comparison should be >= instead of > to prevent an out of bounds
read and write.

Fixes: 9679ca7326e5 ("wifi: mt76: mt7925: fix a potential array-index-out-of-bounds issue for clc")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/84bf5dd2-2fe3-4410-a7af-ae841e41082a@stanley.mountain
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
CVE-2024-57990
Signed-off-by: Manuel Diewald <manuel.diewald@canonical.com>
Signed-off-by: Mehmet Basaran <mehmet.basaran@canonical.com>
This commit is contained in:
Dan Carpenter
2024-09-11 10:43:03 +03:00
committed by Mehmet Basaran
parent 31190e5cbf
commit 2f47402ee4
@@ -613,7 +613,7 @@ static int mt7925_load_clc(struct mt792x_dev *dev, const char *fw_name)
for (offset = 0; offset < len; offset += le32_to_cpu(clc->len)) {
clc = (const struct mt7925_clc *)(clc_base + offset);
if (clc->idx > ARRAY_SIZE(phy->clc))
if (clc->idx >= ARRAY_SIZE(phy->clc))
break;
/* do not init buf again if chip reset triggered */