diff options
| author | Emmanuel Grumbach <emmanuel.grumbach@intel.com> | 2026-03-19 12:09:14 +0300 |
|---|---|---|
| committer | Miri Korenblit <miriam.rachel.korenblit@intel.com> | 2026-03-25 12:31:55 +0300 |
| commit | 07c82a4e5beed28a9d2f69bc687a4668ca2754c4 (patch) | |
| tree | d62e0e6f35b7353716e26d6a56edb0040a2eb0cb | |
| parent | 078df640ef057d57d22c064f5d980aead29ba23d (diff) | |
| download | linux-07c82a4e5beed28a9d2f69bc687a4668ca2754c4.tar.xz | |
wifi: iwlwifi: ensure we don't read SAR values past the limit
When we fill the SAR values, we read values from the BIOS store in the
firmware runtime object and write them into the command that we send to
the firmware.
We assumed that the size of the firmware command is not longer than the
BIOS tables. This has been true until now, but this is not really safe.
We will soon have an firmware API change that will increase the size of
the table in the command and we want to make sure that we don't have a
buffer overrun when we read the firmware runtime object.
Add this safety measure.
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260319110722.99aaf2df072a.I5942590b81324b17e2a369f0c354cafee0f70ef5@changeid
| -rw-r--r-- | drivers/net/wireless/intel/iwlwifi/fw/regulatory.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/net/wireless/intel/iwlwifi/fw/regulatory.c b/drivers/net/wireless/intel/iwlwifi/fw/regulatory.c index 958e71a3c958..5793c267daf7 100644 --- a/drivers/net/wireless/intel/iwlwifi/fw/regulatory.c +++ b/drivers/net/wireless/intel/iwlwifi/fw/regulatory.c @@ -241,6 +241,10 @@ static int iwl_sar_fill_table(struct iwl_fw_runtime *fwrt, int profs[BIOS_SAR_NUM_CHAINS] = { prof_a, prof_b }; int i, j; + if (WARN_ON_ONCE(n_subbands > + ARRAY_SIZE(fwrt->sar_profiles[0].chains[0].subbands))) + return -EINVAL; + for (i = 0; i < BIOS_SAR_NUM_CHAINS; i++) { struct iwl_sar_profile *prof; |