From: stsp <stsp@openbsd.org>
Date: Mon, 22 Nov 2021 10:47:55 +0000 (+0000)
Subject: In iwx(4), fix off-by-one errors during TID value bounds checks.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=16385fb6d5847fcdcc8eac963e36d650b57391ec;p=openbsd

In iwx(4), fix off-by-one errors during TID value bounds checks.

The TID is used as an array index and, according to the Linux driver,
must be smaller than IWX_MAX_TID_COUNT (8). The AP might request an Rx
aggregation session using TID 8. Our driver uses the TID as an index into
an array of IEEE80211_NUM_TID (16) elements, and hence would not crash.
However, the index is exposed to firmware which could potentially crash
or raise an assertion failure for values >= 8.

ok kettenis@
---

diff --git a/sys/dev/pci/if_iwx.c b/sys/dev/pci/if_iwx.c
index 38768d23f50..9d396feb6fe 100644
--- a/sys/dev/pci/if_iwx.c
+++ b/sys/dev/pci/if_iwx.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_iwx.c,v 1.121 2021/11/19 13:05:19 stsp Exp $	*/
+/*	$OpenBSD: if_iwx.c,v 1.122 2021/11/22 10:47:55 stsp Exp $	*/
 
 /*
  * Copyright (c) 2014, 2016 genua gmbh <info@genua.de>
@@ -3264,7 +3264,7 @@ iwx_ampdu_rx_start(struct ieee80211com *ic, struct ieee80211_node *ni,
 	struct iwx_softc *sc = IC2IFP(ic)->if_softc;
 
 	if (sc->sc_rx_ba_sessions >= IWX_MAX_RX_BA_SESSIONS ||
-	    tid > IWX_MAX_TID_COUNT)
+	    tid >= IWX_MAX_TID_COUNT)
 		return ENOSPC;
 
 	if (sc->ba_rx.start_tidmask & (1 << tid))
@@ -3286,7 +3286,7 @@ iwx_ampdu_rx_stop(struct ieee80211com *ic, struct ieee80211_node *ni,
 {
 	struct iwx_softc *sc = IC2IFP(ic)->if_softc;
 
-	if (tid > IWX_MAX_TID_COUNT || sc->ba_rx.stop_tidmask & (1 << tid))
+	if (tid >= IWX_MAX_TID_COUNT || sc->ba_rx.stop_tidmask & (1 << tid))
 		return;
 
 	sc->ba_rx.stop_tidmask = (1 << tid);