wifi: iwlwifi: mvm: Check BAR packet size before accessing data

Validate the BAR frame release size before using its fields to avoid
potential invalid memory access.

Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20241226174257.72161a6c07c3.I4887bad2355213b201fca2da1836c9a3203ab42d@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
index a2f16bf..e8ea489 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
@@ -2506,19 +2506,21 @@ void iwl_mvm_rx_bar_frame_release(struct iwl_mvm *mvm, struct napi_struct *napi,
 {
        struct iwl_rx_packet *pkt = rxb_addr(rxb);
        struct iwl_bar_frame_release *release = (void *)pkt->data;
-       unsigned int baid = le32_get_bits(release->ba_info,
-                                         IWL_BAR_FRAME_RELEASE_BAID_MASK);
-       unsigned int nssn = le32_get_bits(release->ba_info,
-                                         IWL_BAR_FRAME_RELEASE_NSSN_MASK);
-       unsigned int sta_id = le32_get_bits(release->sta_tid,
-                                           IWL_BAR_FRAME_RELEASE_STA_MASK);
-       unsigned int tid = le32_get_bits(release->sta_tid,
-                                        IWL_BAR_FRAME_RELEASE_TID_MASK);
        struct iwl_mvm_baid_data *baid_data;
+       unsigned int baid, nssn, sta_id, tid;
 
        if (unlikely(iwl_rx_packet_payload_len(pkt) < sizeof(*release)))
                return;
 
+       baid = le32_get_bits(release->ba_info,
+                            IWL_BAR_FRAME_RELEASE_BAID_MASK);
+       nssn = le32_get_bits(release->ba_info,
+                            IWL_BAR_FRAME_RELEASE_NSSN_MASK);
+       sta_id = le32_get_bits(release->sta_tid,
+                              IWL_BAR_FRAME_RELEASE_STA_MASK);
+       tid = le32_get_bits(release->sta_tid,
+                           IWL_BAR_FRAME_RELEASE_TID_MASK);
+
        if (WARN_ON_ONCE(baid == IWL_RX_REORDER_DATA_INVALID_BAID ||
                         baid >= ARRAY_SIZE(mvm->baid_map)))
                return;