mt76: mt7915: potential array overflow in mt7915_mcu_tx_rate_report()

[linux-2.6-microblaze.git] / drivers / net / wireless / mediatek / mt76 / mt7915 / mcu.c

diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
index fa9f32f..93b1439 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
@@ -505,15 +505,22 @@ static void
 mt7915_mcu_tx_rate_report(struct mt7915_dev *dev, struct sk_buff *skb)
 {
        struct mt7915_mcu_ra_info *ra = (struct mt7915_mcu_ra_info *)skb->data;
-       u16 wcidx = le16_to_cpu(ra->wlan_idx);
-       struct mt76_wcid *wcid = rcu_dereference(dev->mt76.wcid[wcidx]);
-       struct mt7915_sta *msta = container_of(wcid, struct mt7915_sta, wcid);
-       struct mt7915_sta_stats *stats = &msta->stats;
-       struct mt76_phy *mphy = &dev->mphy;
        struct rate_info rate = {}, prob_rate = {};
+       u16 probe = le16_to_cpu(ra->prob_up_rate);
        u16 attempts = le16_to_cpu(ra->attempts);
        u16 curr = le16_to_cpu(ra->curr_rate);
-       u16 probe = le16_to_cpu(ra->prob_up_rate);
+       u16 wcidx = le16_to_cpu(ra->wlan_idx);
+       struct mt76_phy *mphy = &dev->mphy;
+       struct mt7915_sta_stats *stats;
+       struct mt7915_sta *msta;
+       struct mt76_wcid *wcid;
+
+       if (wcidx >= MT76_N_WCIDS)
+               return;
+
+       wcid = rcu_dereference(dev->mt76.wcid[wcidx]);
+       msta = container_of(wcid, struct mt7915_sta, wcid);
+       stats = &msta->stats;
 
        if (msta->wcid.ext_phy && dev->mt76.phy2)
                mphy = dev->mt76.phy2;