[lvc-project] [PATCH] wifi: mac80211: fix buffer overflow in ieee80211_rx_get_bigtk()

From: Igor Artemiev
Date: Wed Oct 04 2023 - 10:38:56 EST


If 'idx' is 0, then 'idx2' is -1, and arrays
will be accessed by a negative index.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Igor Artemiev <Igor.A.Artemiev@xxxxxxx>
---
net/mac80211/rx.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index e751cda5eef6..e686380434bd 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1868,10 +1868,13 @@ ieee80211_rx_get_bigtk(struct ieee80211_rx_data *rx, int idx)
key = rcu_dereference(rx->link_sta->gtk[idx]);
if (!key)
key = rcu_dereference(rx->link->gtk[idx]);
- if (!key && rx->link_sta)
- key = rcu_dereference(rx->link_sta->gtk[idx2]);
- if (!key)
- key = rcu_dereference(rx->link->gtk[idx2]);
+
+ if (idx2 >= 0) {
+ if (!key && rx->link_sta)
+ key = rcu_dereference(rx->link_sta->gtk[idx2]);
+ if (!key)
+ key = rcu_dereference(rx->link->gtk[idx2]);
+ }

return key;
}
--
2.30.2