On Thu, Mar 25, 2021 at 11:48:22AM +0000, Ricardo Mestre wrote:
> Hi,
>
> As the comment already explains `mcs' may come invalid from the the hardware
> and then code uses it as index before actually checking its value. The patch
> below adjusts it so that it's only used after the check.
>
> Reported on CID 1502921.
>
> Only compile tested. Comments, OK?
ok stsp@
Thanks!
>
> Index: ieee80211_ra.c
> ===================================================================
> RCS file: /cvs/src/sys/net80211/ieee80211_ra.c,v
> retrieving revision 1.1
> diff -u -p -u -1 -0 -r1.1 ieee80211_ra.c
> --- ieee80211_ra.c 12 Mar 2021 16:26:27 -0000 1.1
> +++ ieee80211_ra.c 24 Mar 2021 08:34:33 -0000
> @@ -537,34 +537,35 @@ ieee80211_ra_valid_rates(struct ieee8021
> }
>
> void
> ieee80211_ra_add_stats_ht(struct ieee80211_ra_node *rn,
> struct ieee80211com *ic, struct ieee80211_node *ni,
> int mcs, uint32_t total, uint32_t fail)
> {
> static const uint64_t alpha = RA_FP_1 / 8; /* 1/8 = 0.125 */
> static const uint64_t beta = RA_FP_1 / 4; /* 1/4 = 0.25 */
> int s, sgi20;
> - struct ieee80211_ra_goodput_stats *g = &rn->g[mcs];
> + struct ieee80211_ra_goodput_stats *g;
> uint64_t sfer, rate, delta;
>
> /*
> * Ignore invalid values. These values may come from hardware
> * so asserting valid values via panic is not appropriate.
> */
> if (mcs < 0 || mcs >= IEEE80211_HT_RATESET_NUM_MCS)
> return;
> if (total == 0)
> return;
>
> s = splnet();
>
> + g = &rn->g[mcs];
> g->nprobe_pkts += total;
> g->nprobe_fail += fail;
>
> if (g->nprobe_pkts < IEEE80211_RA_MIN_PROBE_FRAMES &&
> g->nprobe_fail < IEEE80211_RA_MAX_PROBE_RETRIES) {
> splx(s);
> return;
> }
>
> if (g->nprobe_fail > g->nprobe_pkts) {
>
