wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

TID getting from ieee80211_get_tid() might be out of range of array size
of sta_entry->tids[], so check TID is less than MAX_TID_COUNT. Othwerwise,
UBSAN warn:

UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30
index 10 is out of range for type 'rtl_tid_data [9]'

Fixes: 8ca4cdef9329 ("wifi: rtlwifi: rtl8192cu: Fix TX aggregation")
Signed-off-by: Morning Star <alexbestoso@gmail.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/1764232628-13625-1-git-send-email-pkshih@realtek.com

authored by

Morning Star and committed by

Ping-Ke Shih 4 months ago dd39edb4 f3ccdfda

+2 -1

1 changed file

expand all

drivers

net

wireless

realtek

rtlwifi

rtl8192cu

trx.c

+2 -1

drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c

··· 511 511 if (sta) { 512 512 sta_entry = (struct rtl_sta_info *)sta->drv_priv; 513 513 tid = ieee80211_get_tid(hdr); 514 - agg_state = sta_entry->tids[tid].agg.agg_state; 514 + if (tid < MAX_TID_COUNT) 515 + agg_state = sta_entry->tids[tid].agg.agg_state; 515 516 ampdu_density = sta->deflink.ht_cap.ampdu_density; 516 517 } 517 518