qcacld-3.0: Avoid possible array OOB

Jianmin Zhu · PixelBoot · commit 66bc6958e760 · 2025-01-15T18:51:25.000+01:00
Add bound check before access array to avoid out of bound issue.
Separate array bound and duplicate check of 11a and 11b since they have
different length and type.

Change-Id: Icb9382cd42385339532518759de0f6137c5203bd
CRs-Fixed: 3051517
diff --git a/drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_assoc_utils.c b/drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_assoc_utils.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 2011-2021 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -1643,7 +1644,7 @@ lim_populate_peer_rate_set(tpAniSirGlobal pMac,
 {
 	tSirMacRateSet tempRateSet;
 	tSirMacRateSet tempRateSet2;
-	uint32_t i, j, val, min, isArate = 0;
+	uint32_t i, j, val, min;
 	uint8_t aRateIndex = 0;
 	uint8_t bRateIndex = 0;
 
@@ -1703,39 +1704,40 @@ lim_populate_peer_rate_set(tpAniSirGlobal pMac,
 				min = j;
 			}
 		}
-		if (sirIsArate(tempRateSet.rate[min] & 0x7f)) {
-			isArate = 1;
+		/*
+		 * HAL needs to know whether the rate is basic rate or not, as it needs to
+		 * update the response rate table accordingly. e.g. if one of the 11a rates is
+		 * basic rate, then that rate can be used for sending control frames.
+		 * HAL updates the response rate table whenever basic rate set is changed.
+		 */
+		if (basicOnly && !(tempRateSet.rate[min] & 0x80)) {
+			pe_debug("Invalid basic rate");
+		} else if (sirIsArate(tempRateSet.rate[min] & 0x7f)) {
+			if (aRateIndex >= SIR_NUM_11A_RATES) {
+				pe_debug("OOB, aRateIndex: %d", aRateIndex);
+			} else if (aRateIndex >= 1 && (tempRateSet.rate[min] ==
+				   pRates->llaRates[aRateIndex - 1])) {
+				pe_debug("Duplicate 11a rate: %d",
+					 tempRateSet.rate[min]);
+			} else {
+				pRates->llaRates[aRateIndex++] =
+						tempRateSet.rate[min];
+			}
 		} else if (sirIsBrate(tempRateSet.rate[min] & 0x7f)) {
-			isArate = 0;
+			if (bRateIndex >= SIR_NUM_11B_RATES) {
+				pe_debug("OOB, bRateIndex: %d", bRateIndex);
+			} else if (bRateIndex >= 1 && (tempRateSet.rate[min] ==
+				   pRates->llbRates[bRateIndex - 1])) {
+				pe_debug("Duplicate 11b rate: %d",
+					 tempRateSet.rate[min]);
+			} else {
+				pRates->llbRates[bRateIndex++] =
+						tempRateSet.rate[min];
+			}
 		} else {
 			pe_debug("%d is neither 11a nor 11b rate",
 				 tempRateSet.rate[min]);
-			tempRateSet.rate[min] = 0xff;
-			continue;
-		}
-		if (tempRateSet.rate[min] == pRates->llaRates[aRateIndex] ||
-		    tempRateSet.rate[min] == pRates->llbRates[bRateIndex]) {
-			pe_debug("Duplicate rate: %d", tempRateSet.rate[min]);
-			tempRateSet.rate[min] = 0xff;
-			continue;
-		}
-		/*
-		 * HAL needs to know whether the rate is basic rate or not,
-		 * as it needs to update the response rate table accordingly.
-		 * e.g. if one of the 11a rates is basic rate, then that rate
-		 * can be used for sending control frames. HAL updates the
-		 * response rate table whenever basic rate set is changed.
-		 */
-		if (basicOnly && !(tempRateSet.rate[min] & 0x80)) {
-			tempRateSet.rate[min] = 0xff;
-			continue;
 		}
-		if (isArate && aRateIndex < SIR_NUM_11A_RATES)
-			pRates->llaRates[aRateIndex++] =
-					tempRateSet.rate[min];
-		else if (bRateIndex < SIR_NUM_11B_RATES)
-			pRates->llbRates[bRateIndex++] =
-					tempRateSet.rate[min];
 		tempRateSet.rate[min] = 0xff;
 	}
 
