artulab
projects / openbsd / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 34d6c77) | patch
In iwx(4), fix off-by-one errors during TID value bounds checks.
authorstsp <stsp@openbsd.org>
Mon, 22 Nov 2021 10:47:55 +0000 (10:47 +0000)
committerstsp <stsp@openbsd.org>
Mon, 22 Nov 2021 10:47:55 +0000 (10:47 +0000)
commit16385fb6d5847fcdcc8eac963e36d650b57391ec
tree481dc4b06e01a631bce314d313eb63ca99dc5273tree | snapshot
parent34d6c773ee76548293958cf85f9c9915415a1b29commit | diff
In iwx(4), fix off-by-one errors during TID value bounds checks.

The TID is used as an array index and, according to the Linux driver,
must be smaller than IWX_MAX_TID_COUNT (8). The AP might request an Rx
aggregation session using TID 8. Our driver uses the TID as an index into
an array of IEEE80211_NUM_TID (16) elements, and hence would not crash.
However, the index is exposed to firmware which could potentially crash
or raise an assertion failure for values >= 8.

ok kettenis@
sys/dev/pci/if_iwx.c diff | blob | history
OpenBSD src
by Ahmet Artu Yildirim