ath11k_wmi_tlv_ext_hal_reg_caps() copies firmware regulatory capability records into soc->hal_reg_cap[] using reg_cap.phy_id as the destination index. The loop count is bounded by num_phy, but the phy_id embedded in each record is not checked against the fixed MAX_RADIOS-sized destination array. Reject firmware records whose phy_id does not fit soc->hal_reg_cap[] before copying the parsed capability. Signed-off-by: Pengpeng Hou --- drivers/net/wireless/ath/ath11k/wmi.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/drivers/net/wireless/ath/ath11k/wmi.c +++ b/drivers/net/wireless/ath/ath11k/wmi.c @@ -4856,6 +4856,12 @@ if (ret) { ath11k_warn(soc, "failed to extract reg cap %d\n", i); return ret; + } + + if (reg_cap.phy_id >= ARRAY_SIZE(soc->hal_reg_cap)) { + ath11k_warn(soc, "invalid reg cap phy_id %u\n", + reg_cap.phy_id); + return -EINVAL; } memcpy(&soc->hal_reg_cap[reg_cap.phy_id],