nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds

commit 1222a1601488 ("nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds") was incomplete and requires one more fix to prevent accessing to rssi_thresholds[n] because user can control rssi_thresholds[i] values to make i reach to n. For example, rssi_thresholds = {-400, -300, -200, -100} when last is -34. Cc: [email protected] Fixes: 1222a1601488 ("nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds") Reported-by: Dan Carpenter <[email protected]> Signed-off-by: Masashi Honma <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Johannes Berg <[email protected]>
author: Masashi Honma <[email protected]> 2019-09-08 09:56:53 +0900
committer: Johannes Berg <[email protected]> 2019-09-11 09:33:29 +0200
commit: 4b2c5a14cd8005a900075f7dfec87473c6ee66fb (patch)
tree: 08c2e1322322e48c7be418f9eec450f3730b4c0e
parent: 06354665f92fa8be36124a8ba7113cdfa40d9df5 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 0c7fa6004ffb..d21b1581a665 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -10805,9 +10805,11 @@ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
 	hyst = wdev->cqm_config->rssi_hyst;
 	n = wdev->cqm_config->n_rssi_thresholds;
 
-	for (i = 0; i < n; i++)
+	for (i = 0; i < n; i++) {
+		i = array_index_nospec(i, n);
 		if (last < wdev->cqm_config->rssi_thresholds[i])
 			break;
+	}
 
 	low_index = i - 1;
 	if (low_index >= 0) {
author	Masashi Honma <[email protected]>	2019-09-08 09:56:53 +0900
committer	Johannes Berg <[email protected]>	2019-09-11 09:33:29 +0200
commit	4b2c5a14cd8005a900075f7dfec87473c6ee66fb (patch)
tree	08c2e1322322e48c7be418f9eec450f3730b4c0e
parent	06354665f92fa8be36124a8ba7113cdfa40d9df5 (diff)