mac80211: fix VHT MCS mask array overrun
authorJohannes Berg <johannes.berg@intel.com>
Fri, 21 Aug 2015 12:07:13 +0000 (14:07 +0200)
committerJohannes Berg <johannes.berg@intel.com>
Tue, 22 Sep 2015 13:19:48 +0000 (15:19 +0200)
The HT MCS mask has 9 bytes, the VHT one only has 8 streams.
Split the loops to handle this correctly.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
net/mac80211/cfg.c

index 17b1fe961c5d67b958346dee07e265448408cc71..a30ec3ce3d25eb3d16c8391476171c5aef3abb57 100644 (file)
@@ -2518,15 +2518,17 @@ static int ieee80211_set_bitrate_mask(struct wiphy *wiphy,
                        continue;
 
                for (j = 0; j < IEEE80211_HT_MCS_MASK_LEN; j++) {
-                       if (~sdata->rc_rateidx_mcs_mask[i][j])
+                       if (~sdata->rc_rateidx_mcs_mask[i][j]) {
                                sdata->rc_has_mcs_mask[i] = true;
+                               break;
+                       }
+               }
 
-                       if (~sdata->rc_rateidx_vht_mcs_mask[i][j])
+               for (j = 0; j < NL80211_VHT_NSS_MAX; j++) {
+                       if (~sdata->rc_rateidx_vht_mcs_mask[i][j]) {
                                sdata->rc_has_vht_mcs_mask[i] = true;
-
-                       if (sdata->rc_has_mcs_mask[i] &&
-                           sdata->rc_has_vht_mcs_mask[i])
                                break;
+                       }
                }
        }