mac80211: fix possible out-of-bounds access

[cascardo/linux.git] / net / mac80211 / mlme.c

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 8d426f6..7486f2d 100644 (file)
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1672,11 +1672,15 @@ __ieee80211_sta_handle_tspec_ac_params(struct ieee80211_sub_if_data *sdata)
                             non_acm_ac++)
                                if (!(sdata->wmm_acm & BIT(7 - 2 * non_acm_ac)))
                                        break;
-                       /* The loop will result in using BK even if it requires
-                        * admission control, such configuration makes no sense
-                        * and we have to transmit somehow - the AC selection
-                        * does the same thing.
+                       /* Usually the loop will result in using BK even if it
+                        * requires admission control, but such a configuration
+                        * makes no sense and we have to transmit somehow - the
+                        * AC selection does the same thing.
+                        * If we started out trying to downgrade from BK, then
+                        * the extra condition here might be needed.
                         */
+                       if (non_acm_ac >= IEEE80211_NUM_ACS)
+                               non_acm_ac = IEEE80211_AC_BK;
                        if (drv_conf_tx(local, sdata, ac,
                                        &sdata->tx_conf[non_acm_ac]))
                                sdata_err(sdata,