Commit dd39edb4 authored by Morning Star's avatar Morning Star Committed by Ping-Ke Shih
Browse files

wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() 



TID getting from ieee80211_get_tid() might be out of range of array size
of sta_entry->tids[], so check TID is less than MAX_TID_COUNT. Othwerwise,
UBSAN warn:

 UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30
 index 10 is out of range for type 'rtl_tid_data [9]'

Fixes: 8ca4cdef ("wifi: rtlwifi: rtl8192cu: Fix TX aggregation")
Signed-off-by: default avatarMorning Star <alexbestoso@gmail.com>
Signed-off-by: default avatarPing-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/1764232628-13625-1-git-send-email-pkshih@realtek.com
parent f3ccdfda

drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c

+2 −1
Original line number Diff line number Diff line
@@ -511,6 +511,7 @@ void rtl92cu_tx_fill_desc(struct ieee80211_hw *hw, 
	if (sta) {

		sta_entry = (struct rtl_sta_info *)sta->drv_priv;

		tid = ieee80211_get_tid(hdr);

		if (tid < MAX_TID_COUNT)

			agg_state = sta_entry->tids[tid].agg.agg_state;

		ampdu_density = sta->deflink.ht_cap.ampdu_density;

	}