aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSujith.Manoharan@atheros.com <Sujith.Manoharan@atheros.com>2010-05-11 07:33:36 -0400
committerJohn W. Linville <linville@tuxdriver.com>2010-05-12 16:39:06 -0400
commit8116daf2146d8fbc5d8d925984b3d4fd34dba1b4 (patch)
tree233a47f5e67c85878101241b9011e6b51605b529
parentd8c49ffb2e2a47b23fec7f469435e7b112e2e569 (diff)
ath9k_htc: Fix array overflow
Use ENDPOINT_MAX instead of HST_ENDPOINT_MAX. This fixes a stack corruption issue. This is based on a patch sent by Dan Carpenter <error27@gmail.com>. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Sujith <Sujith.Manoharan@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--drivers/net/wireless/ath/ath9k/htc_hst.c10
-rw-r--r--drivers/net/wireless/ath/ath9k/htc_hst.h5
2 files changed, 6 insertions, 9 deletions
diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index e86e1728c8de..064397fd738e 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -39,7 +39,7 @@ static struct htc_endpoint *get_next_avail_ep(struct htc_endpoint *endpoint)
39{ 39{
40 enum htc_endpoint_id avail_epid; 40 enum htc_endpoint_id avail_epid;
41 41
42 for (avail_epid = ENDPOINT_MAX; avail_epid > ENDPOINT0; avail_epid--) 42 for (avail_epid = (ENDPOINT_MAX - 1); avail_epid > ENDPOINT0; avail_epid--)
43 if (endpoint[avail_epid].service_id == 0) 43 if (endpoint[avail_epid].service_id == 0)
44 return &endpoint[avail_epid]; 44 return &endpoint[avail_epid];
45 return NULL; 45 return NULL;
@@ -117,7 +117,7 @@ static void htc_process_conn_rsp(struct htc_target *target,
117 max_msglen = be16_to_cpu(svc_rspmsg->max_msg_len); 117 max_msglen = be16_to_cpu(svc_rspmsg->max_msg_len);
118 endpoint = &target->endpoint[epid]; 118 endpoint = &target->endpoint[epid];
119 119
120 for (tepid = ENDPOINT_MAX; tepid > ENDPOINT0; tepid--) { 120 for (tepid = (ENDPOINT_MAX - 1); tepid > ENDPOINT0; tepid--) {
121 tmp_endpoint = &target->endpoint[tepid]; 121 tmp_endpoint = &target->endpoint[tepid];
122 if (tmp_endpoint->service_id == service_id) { 122 if (tmp_endpoint->service_id == service_id) {
123 tmp_endpoint->service_id = 0; 123 tmp_endpoint->service_id = 0;
@@ -125,7 +125,7 @@ static void htc_process_conn_rsp(struct htc_target *target,
125 } 125 }
126 } 126 }
127 127
128 if (!tmp_endpoint) 128 if (tepid == ENDPOINT0)
129 return; 129 return;
130 130
131 endpoint->service_id = service_id; 131 endpoint->service_id = service_id;
@@ -298,7 +298,7 @@ void htc_stop(struct htc_target *target)
298 enum htc_endpoint_id epid; 298 enum htc_endpoint_id epid;
299 struct htc_endpoint *endpoint; 299 struct htc_endpoint *endpoint;
300 300
301 for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) { 301 for (epid = ENDPOINT0; epid < ENDPOINT_MAX; epid++) {
302 endpoint = &target->endpoint[epid]; 302 endpoint = &target->endpoint[epid];
303 if (endpoint->service_id != 0) 303 if (endpoint->service_id != 0)
304 target->hif->stop(target->hif_dev, endpoint->ul_pipeid); 304 target->hif->stop(target->hif_dev, endpoint->ul_pipeid);
@@ -310,7 +310,7 @@ void htc_start(struct htc_target *target)
310 enum htc_endpoint_id epid; 310 enum htc_endpoint_id epid;
311 struct htc_endpoint *endpoint; 311 struct htc_endpoint *endpoint;
312 312
313 for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) { 313 for (epid = ENDPOINT0; epid < ENDPOINT_MAX; epid++) {
314 endpoint = &target->endpoint[epid]; 314 endpoint = &target->endpoint[epid];
315 if (endpoint->service_id != 0) 315 if (endpoint->service_id != 0)
316 target->hif->start(target->hif_dev, 316 target->hif->start(target->hif_dev,
diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.h b/drivers/net/wireless/ath/ath9k/htc_hst.h
index 4f1cdb003cce..faba6790328b 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.h
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.h
@@ -123,9 +123,6 @@ struct htc_endpoint {
123#define HTC_CONTROL_BUFFER_SIZE \ 123#define HTC_CONTROL_BUFFER_SIZE \
124 (HTC_MAX_CONTROL_MESSAGE_LENGTH + sizeof(struct htc_frame_hdr)) 124 (HTC_MAX_CONTROL_MESSAGE_LENGTH + sizeof(struct htc_frame_hdr))
125 125
126#define NUM_CONTROL_BUFFERS 8
127#define HST_ENDPOINT_MAX 8
128
129struct htc_control_buf { 126struct htc_control_buf {
130 struct htc_packet htc_pkt; 127 struct htc_packet htc_pkt;
131 u8 buf[HTC_CONTROL_BUFFER_SIZE]; 128 u8 buf[HTC_CONTROL_BUFFER_SIZE];
@@ -139,7 +136,7 @@ struct htc_target {
139 struct ath9k_htc_priv *drv_priv; 136 struct ath9k_htc_priv *drv_priv;
140 struct device *dev; 137 struct device *dev;
141 struct ath9k_htc_hif *hif; 138 struct ath9k_htc_hif *hif;
142 struct htc_endpoint endpoint[HST_ENDPOINT_MAX]; 139 struct htc_endpoint endpoint[ENDPOINT_MAX];
143 struct completion target_wait; 140 struct completion target_wait;
144 struct completion cmd_wait; 141 struct completion cmd_wait;
145 struct list_head list; 142 struct list_head list;