| created | 2021-11-29T12:53:30Z |
|---|---|
| begin | 2021-11-22T10:31:58Z |
| end | 2021-11-22T10:47:55Z |
| path | src/sys |
| commits | 1 |
| date | 2021-11-22T10:47:55Z | |||
|---|---|---|---|---|
| author | stsp | |||
| files | src/sys/dev/pci/if_iwx.c | log | diff | annotate |
| message |
In iwx(4), fix off-by-one errors during TID value bounds checks. The TID is used as an array index and, according to the Linux driver, must be smaller than IWX_MAX_TID_COUNT (8). The AP might request an Rx aggregation session using TID 8. Our driver uses the TID as an index into an array of IEEE80211_NUM_TID (16) elements, and hence would not crash. However, the index is exposed to firmware which could potentially crash or raise an assertion failure for values >= 8. ok kettenis@ |
|||