diff options
| author | Sujith.Manoharan@atheros.com <Sujith.Manoharan@atheros.com> | 2010-05-11 07:33:36 -0400 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2010-05-12 16:39:06 -0400 |
| commit | 8116daf2146d8fbc5d8d925984b3d4fd34dba1b4 (patch) | |
| tree | 233a47f5e67c85878101241b9011e6b51605b529 /drivers/net/wireless/ath/ath9k | |
| parent | d8c49ffb2e2a47b23fec7f469435e7b112e2e569 (diff) | |
ath9k_htc: Fix array overflow
Use ENDPOINT_MAX instead of HST_ENDPOINT_MAX.
This fixes a stack corruption issue.
This is based on a patch sent by Dan Carpenter <error27@gmail.com>.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Sujith <Sujith.Manoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/ath/ath9k')
| -rw-r--r-- | drivers/net/wireless/ath/ath9k/htc_hst.c | 10 | ||||
| -rw-r--r-- | drivers/net/wireless/ath/ath9k/htc_hst.h | 5 |
2 files changed, 6 insertions, 9 deletions
diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c index e86e1728c8de..064397fd738e 100644 --- a/drivers/net/wireless/ath/ath9k/htc_hst.c +++ b/drivers/net/wireless/ath/ath9k/htc_hst.c | |||
| @@ -39,7 +39,7 @@ static struct htc_endpoint *get_next_avail_ep(struct htc_endpoint *endpoint) | |||
| 39 | { | 39 | { |
| 40 | enum htc_endpoint_id avail_epid; | 40 | enum htc_endpoint_id avail_epid; |
| 41 | 41 | ||
| 42 | for (avail_epid = ENDPOINT_MAX; avail_epid > ENDPOINT0; avail_epid--) | 42 | for (avail_epid = (ENDPOINT_MAX - 1); avail_epid > ENDPOINT0; avail_epid--) |
| 43 | if (endpoint[avail_epid].service_id == 0) | 43 | if (endpoint[avail_epid].service_id == 0) |
| 44 | return &endpoint[avail_epid]; | 44 | return &endpoint[avail_epid]; |
| 45 | return NULL; | 45 | return NULL; |
| @@ -117,7 +117,7 @@ static void htc_process_conn_rsp(struct htc_target *target, | |||
| 117 | max_msglen = be16_to_cpu(svc_rspmsg->max_msg_len); | 117 | max_msglen = be16_to_cpu(svc_rspmsg->max_msg_len); |
| 118 | endpoint = &target->endpoint[epid]; | 118 | endpoint = &target->endpoint[epid]; |
| 119 | 119 | ||
| 120 | for (tepid = ENDPOINT_MAX; tepid > ENDPOINT0; tepid--) { | 120 | for (tepid = (ENDPOINT_MAX - 1); tepid > ENDPOINT0; tepid--) { |
| 121 | tmp_endpoint = &target->endpoint[tepid]; | 121 | tmp_endpoint = &target->endpoint[tepid]; |
| 122 | if (tmp_endpoint->service_id == service_id) { | 122 | if (tmp_endpoint->service_id == service_id) { |
| 123 | tmp_endpoint->service_id = 0; | 123 | tmp_endpoint->service_id = 0; |
| @@ -125,7 +125,7 @@ static void htc_process_conn_rsp(struct htc_target *target, | |||
| 125 | } | 125 | } |
| 126 | } | 126 | } |
| 127 | 127 | ||
| 128 | if (!tmp_endpoint) | 128 | if (tepid == ENDPOINT0) |
| 129 | return; | 129 | return; |
| 130 | 130 | ||
| 131 | endpoint->service_id = service_id; | 131 | endpoint->service_id = service_id; |
| @@ -298,7 +298,7 @@ void htc_stop(struct htc_target *target) | |||
| 298 | enum htc_endpoint_id epid; | 298 | enum htc_endpoint_id epid; |
| 299 | struct htc_endpoint *endpoint; | 299 | struct htc_endpoint *endpoint; |
| 300 | 300 | ||
| 301 | for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) { | 301 | for (epid = ENDPOINT0; epid < ENDPOINT_MAX; epid++) { |
| 302 | endpoint = &target->endpoint[epid]; | 302 | endpoint = &target->endpoint[epid]; |
| 303 | if (endpoint->service_id != 0) | 303 | if (endpoint->service_id != 0) |
| 304 | target->hif->stop(target->hif_dev, endpoint->ul_pipeid); | 304 | target->hif->stop(target->hif_dev, endpoint->ul_pipeid); |
| @@ -310,7 +310,7 @@ void htc_start(struct htc_target *target) | |||
| 310 | enum htc_endpoint_id epid; | 310 | enum htc_endpoint_id epid; |
| 311 | struct htc_endpoint *endpoint; | 311 | struct htc_endpoint *endpoint; |
| 312 | 312 | ||
| 313 | for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) { | 313 | for (epid = ENDPOINT0; epid < ENDPOINT_MAX; epid++) { |
| 314 | endpoint = &target->endpoint[epid]; | 314 | endpoint = &target->endpoint[epid]; |
| 315 | if (endpoint->service_id != 0) | 315 | if (endpoint->service_id != 0) |
| 316 | target->hif->start(target->hif_dev, | 316 | target->hif->start(target->hif_dev, |
diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.h b/drivers/net/wireless/ath/ath9k/htc_hst.h index 4f1cdb003cce..faba6790328b 100644 --- a/drivers/net/wireless/ath/ath9k/htc_hst.h +++ b/drivers/net/wireless/ath/ath9k/htc_hst.h | |||
| @@ -123,9 +123,6 @@ struct htc_endpoint { | |||
| 123 | #define HTC_CONTROL_BUFFER_SIZE \ | 123 | #define HTC_CONTROL_BUFFER_SIZE \ |
| 124 | (HTC_MAX_CONTROL_MESSAGE_LENGTH + sizeof(struct htc_frame_hdr)) | 124 | (HTC_MAX_CONTROL_MESSAGE_LENGTH + sizeof(struct htc_frame_hdr)) |
| 125 | 125 | ||
| 126 | #define NUM_CONTROL_BUFFERS 8 | ||
| 127 | #define HST_ENDPOINT_MAX 8 | ||
| 128 | |||
| 129 | struct htc_control_buf { | 126 | struct htc_control_buf { |
| 130 | struct htc_packet htc_pkt; | 127 | struct htc_packet htc_pkt; |
| 131 | u8 buf[HTC_CONTROL_BUFFER_SIZE]; | 128 | u8 buf[HTC_CONTROL_BUFFER_SIZE]; |
| @@ -139,7 +136,7 @@ struct htc_target { | |||
| 139 | struct ath9k_htc_priv *drv_priv; | 136 | struct ath9k_htc_priv *drv_priv; |
| 140 | struct device *dev; | 137 | struct device *dev; |
| 141 | struct ath9k_htc_hif *hif; | 138 | struct ath9k_htc_hif *hif; |
| 142 | struct htc_endpoint endpoint[HST_ENDPOINT_MAX]; | 139 | struct htc_endpoint endpoint[ENDPOINT_MAX]; |
| 143 | struct completion target_wait; | 140 | struct completion target_wait; |
| 144 | struct completion cmd_wait; | 141 | struct completion cmd_wait; |
| 145 | struct list_head list; | 142 | struct list_head list; |