diff options
| author | Luciano Coelho <coelho@ti.com> | 2011-12-13 04:39:02 -0500 |
|---|---|---|
| committer | Luciano Coelho <coelho@ti.com> | 2011-12-15 02:58:41 -0500 |
| commit | f414218ed8bc716825755c9cf59f16a19f28314a (patch) | |
| tree | e2374f0aa4635694bf9d55e00d93e88e4dcb33b8 /drivers/net/wireless | |
| parent | 3f1764945eaac532c20ab1f23afa352a40f797b2 (diff) | |
wl12xx: don't write out of bounds when hlid > WL12XX_MAX_LINKS
We should not get an hlid value bigger than WL12XX_MAX_LINKS from
wl1271_rx_handle_data(). We have a WARN_ON in case it happens. But
despite the warning, we would still go ahead and write the hlid bit
into active_hlids (a stack variable). This would cause us to
overwrite other data in the stack.
To avoid this problem, we now skip the write when issuing the warning,
so at least we don't corrupt data.
Signed-off-by: Luciano Coelho <coelho@ti.com>
Diffstat (limited to 'drivers/net/wireless')
| -rw-r--r-- | drivers/net/wireless/wl12xx/rx.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/drivers/net/wireless/wl12xx/rx.c b/drivers/net/wireless/wl12xx/rx.c index 8c277c0cb37..4fbd2a722ff 100644 --- a/drivers/net/wireless/wl12xx/rx.c +++ b/drivers/net/wireless/wl12xx/rx.c | |||
| @@ -258,8 +258,12 @@ void wl12xx_rx(struct wl1271 *wl, struct wl12xx_fw_status *status) | |||
| 258 | wl->aggr_buf + pkt_offset, | 258 | wl->aggr_buf + pkt_offset, |
| 259 | pkt_length, unaligned, | 259 | pkt_length, unaligned, |
| 260 | &hlid) == 1) { | 260 | &hlid) == 1) { |
| 261 | WARN_ON(hlid >= WL12XX_MAX_LINKS); | 261 | if (hlid < WL12XX_MAX_LINKS) |
| 262 | __set_bit(hlid, active_hlids); | 262 | __set_bit(hlid, active_hlids); |
| 263 | else | ||
| 264 | WARN(1, | ||
| 265 | "hlid exceeded WL12XX_MAX_LINKS " | ||
| 266 | "(%d)\n", hlid); | ||
| 263 | } | 267 | } |
| 264 | 268 | ||
| 265 | wl->rx_counter++; | 269 | wl->rx_counter++; |