From 07c82a4e5beed28a9d2f69bc687a4668ca2754c4 Mon Sep 17 00:00:00 2001 From: Emmanuel Grumbach Date: Thu, 19 Mar 2026 11:09:14 +0200 Subject: [PATCH] wifi: iwlwifi: ensure we don't read SAR values past the limit When we fill the SAR values, we read values from the BIOS store in the firmware runtime object and write them into the command that we send to the firmware. We assumed that the size of the firmware command is not longer than the BIOS tables. This has been true until now, but this is not really safe. We will soon have an firmware API change that will increase the size of the table in the command and we want to make sure that we don't have a buffer overrun when we read the firmware runtime object. Add this safety measure. Signed-off-by: Emmanuel Grumbach Signed-off-by: Miri Korenblit Link: https://patch.msgid.link/20260319110722.99aaf2df072a.I5942590b81324b17e2a369f0c354cafee0f70ef5@changeid --- drivers/net/wireless/intel/iwlwifi/fw/regulatory.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/wireless/intel/iwlwifi/fw/regulatory.c b/drivers/net/wireless/intel/iwlwifi/fw/regulatory.c index 958e71a3c958..5793c267daf7 100644 --- a/drivers/net/wireless/intel/iwlwifi/fw/regulatory.c +++ b/drivers/net/wireless/intel/iwlwifi/fw/regulatory.c @@ -241,6 +241,10 @@ static int iwl_sar_fill_table(struct iwl_fw_runtime *fwrt, int profs[BIOS_SAR_NUM_CHAINS] = { prof_a, prof_b }; int i, j; + if (WARN_ON_ONCE(n_subbands > + ARRAY_SIZE(fwrt->sar_profiles[0].chains[0].subbands))) + return -EINVAL; + for (i = 0; i < BIOS_SAR_NUM_CHAINS; i++) { struct iwl_sar_profile *prof;