Hi,
As the comment already explains `mcs' may come invalid from the the hardware
and then code uses it as index before actually checking its value. The patch
below adjusts it so that it's only used after the check.
Reported on CID 1502921.
Only compile tested. Comments, OK?
Index: ieee80211_ra.c
===================================================================
RCS file: /cvs/src/sys/net80211/ieee80211_ra.c,v
retrieving revision 1.1
diff -u -p -u -1 -0 -r1.1 ieee80211_ra.c
--- ieee80211_ra.c 12 Mar 2021 16:26:27 -0000 1.1
+++ ieee80211_ra.c 24 Mar 2021 08:34:33 -0000
@@ -537,34 +537,35 @@ ieee80211_ra_valid_rates(struct ieee8021
}
void
ieee80211_ra_add_stats_ht(struct ieee80211_ra_node *rn,
struct ieee80211com *ic, struct ieee80211_node *ni,
int mcs, uint32_t total, uint32_t fail)
{
static const uint64_t alpha = RA_FP_1 / 8; /* 1/8 = 0.125 */
static const uint64_t beta = RA_FP_1 / 4; /* 1/4 = 0.25 */
int s, sgi20;
- struct ieee80211_ra_goodput_stats *g = &rn->g[mcs];
+ struct ieee80211_ra_goodput_stats *g;
uint64_t sfer, rate, delta;
/*
* Ignore invalid values. These values may come from hardware
* so asserting valid values via panic is not appropriate.
*/
if (mcs < 0 || mcs >= IEEE80211_HT_RATESET_NUM_MCS)
return;
if (total == 0)
return;
s = splnet();
+ g = &rn->g[mcs];
g->nprobe_pkts += total;
g->nprobe_fail += fail;
if (g->nprobe_pkts < IEEE80211_RA_MIN_PROBE_FRAMES &&
g->nprobe_fail < IEEE80211_RA_MAX_PROBE_RETRIES) {
splx(s);
return;
}
if (g->nprobe_fail > g->nprobe_pkts) {
