In iwx(4), fix off-by-one errors during TID value bounds checks.

The TID is used as an array index and, according to the Linux driver,
must be smaller than IWX_MAX_TID_COUNT (8). The AP might request an Rx
aggregation session using TID 8. Our driver uses the TID as an index into
an array of IEEE80211_NUM_TID (16) elements, and hence would not crash.
However, the index is exposed to firmware which could potentially crash
or raise an assertion failure for values >= 8.

ok kettenis@

diff --git a/sys/dev/pci/if_iwx.c b/sys/dev/pci/if_iwx.c
index 38768d2..9d396fe 100644 (file)
--- a/sys/dev/pci/if_iwx.c
+++ b/sys/dev/pci/if_iwx.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: if_iwx.c,v 1.121 2021/11/19 13:05:19 stsp Exp $       */
+/*     $OpenBSD: if_iwx.c,v 1.122 2021/11/22 10:47:55 stsp Exp $       */
 
 /*
  * Copyright (c) 2014, 2016 genua gmbh <info@genua.de>
@@ -3264,7 +3264,7 @@ iwx_ampdu_rx_start(struct ieee80211com *ic, struct ieee80211_node *ni,
        struct iwx_softc *sc = IC2IFP(ic)->if_softc;
 
        if (sc->sc_rx_ba_sessions >= IWX_MAX_RX_BA_SESSIONS ||
-           tid > IWX_MAX_TID_COUNT)
+           tid >= IWX_MAX_TID_COUNT)
                return ENOSPC;
 
        if (sc->ba_rx.start_tidmask & (1 << tid))
@@ -3286,7 +3286,7 @@ iwx_ampdu_rx_stop(struct ieee80211com *ic, struct ieee80211_node *ni,
 {
        struct iwx_softc *sc = IC2IFP(ic)->if_softc;
 
-       if (tid > IWX_MAX_TID_COUNT || sc->ba_rx.stop_tidmask & (1 << tid))
+       if (tid >= IWX_MAX_TID_COUNT || sc->ba_rx.stop_tidmask & (1 << tid))
                return;
 
        sc->ba_rx.stop_tidmask = (1 << tid);