wifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps()

reg_cap.phy_id is extracted from WMI event and could be an unexpected value
in case some errors happen. As a result out-of-bound write may occur to
soc->hal_reg_cap. Fix it by validating reg_cap.phy_id before using it.

This is found during code review.

Compile tested only.

Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230830020716.5420-1-quic_bqiang@quicinc.com

diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
index acc5fc8fbce6c24911cdd3852a6b15ee6530e4d1..a771ffa9a30968b0d050dc30380b60686cba4ebc 100644 (file)
--- a/drivers/net/wireless/ath/ath12k/wmi.c
+++ b/drivers/net/wireless/ath/ath12k/wmi.c
@@ -3876,6 +3876,12 @@ static int ath12k_wmi_ext_hal_reg_caps(struct ath12k_base *soc,
                        ath12k_warn(soc, "failed to extract reg cap %d\n", i);
                        return ret;
                }
+
+               if (reg_cap.phy_id >= MAX_RADIOS) {
+                       ath12k_warn(soc, "unexpected phy id %u\n", reg_cap.phy_id);
+                       return -EINVAL;
+               }
+
                soc->hal_reg_cap[reg_cap.phy_id] = reg_cap;
        }
        return 0;