Commit 8116daf2 authored by Sujith.Manoharan@atheros.com's avatar Sujith.Manoharan@atheros.com Committed by John W. Linville

ath9k_htc: Fix array overflow

Use ENDPOINT_MAX instead of HST_ENDPOINT_MAX.
This fixes a stack corruption issue.

This is based on a patch sent by Dan Carpenter <error27@gmail.com>.
Signed-off-by: default avatarDan Carpenter <error27@gmail.com>
Signed-off-by: default avatarSujith <Sujith.Manoharan@atheros.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent d8c49ffb
...@@ -39,7 +39,7 @@ static struct htc_endpoint *get_next_avail_ep(struct htc_endpoint *endpoint) ...@@ -39,7 +39,7 @@ static struct htc_endpoint *get_next_avail_ep(struct htc_endpoint *endpoint)
{ {
enum htc_endpoint_id avail_epid; enum htc_endpoint_id avail_epid;
for (avail_epid = ENDPOINT_MAX; avail_epid > ENDPOINT0; avail_epid--) for (avail_epid = (ENDPOINT_MAX - 1); avail_epid > ENDPOINT0; avail_epid--)
if (endpoint[avail_epid].service_id == 0) if (endpoint[avail_epid].service_id == 0)
return &endpoint[avail_epid]; return &endpoint[avail_epid];
return NULL; return NULL;
...@@ -117,7 +117,7 @@ static void htc_process_conn_rsp(struct htc_target *target, ...@@ -117,7 +117,7 @@ static void htc_process_conn_rsp(struct htc_target *target,
max_msglen = be16_to_cpu(svc_rspmsg->max_msg_len); max_msglen = be16_to_cpu(svc_rspmsg->max_msg_len);
endpoint = &target->endpoint[epid]; endpoint = &target->endpoint[epid];
for (tepid = ENDPOINT_MAX; tepid > ENDPOINT0; tepid--) { for (tepid = (ENDPOINT_MAX - 1); tepid > ENDPOINT0; tepid--) {
tmp_endpoint = &target->endpoint[tepid]; tmp_endpoint = &target->endpoint[tepid];
if (tmp_endpoint->service_id == service_id) { if (tmp_endpoint->service_id == service_id) {
tmp_endpoint->service_id = 0; tmp_endpoint->service_id = 0;
...@@ -125,7 +125,7 @@ static void htc_process_conn_rsp(struct htc_target *target, ...@@ -125,7 +125,7 @@ static void htc_process_conn_rsp(struct htc_target *target,
} }
} }
if (!tmp_endpoint) if (tepid == ENDPOINT0)
return; return;
endpoint->service_id = service_id; endpoint->service_id = service_id;
...@@ -298,7 +298,7 @@ void htc_stop(struct htc_target *target) ...@@ -298,7 +298,7 @@ void htc_stop(struct htc_target *target)
enum htc_endpoint_id epid; enum htc_endpoint_id epid;
struct htc_endpoint *endpoint; struct htc_endpoint *endpoint;
for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) { for (epid = ENDPOINT0; epid < ENDPOINT_MAX; epid++) {
endpoint = &target->endpoint[epid]; endpoint = &target->endpoint[epid];
if (endpoint->service_id != 0) if (endpoint->service_id != 0)
target->hif->stop(target->hif_dev, endpoint->ul_pipeid); target->hif->stop(target->hif_dev, endpoint->ul_pipeid);
...@@ -310,7 +310,7 @@ void htc_start(struct htc_target *target) ...@@ -310,7 +310,7 @@ void htc_start(struct htc_target *target)
enum htc_endpoint_id epid; enum htc_endpoint_id epid;
struct htc_endpoint *endpoint; struct htc_endpoint *endpoint;
for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) { for (epid = ENDPOINT0; epid < ENDPOINT_MAX; epid++) {
endpoint = &target->endpoint[epid]; endpoint = &target->endpoint[epid];
if (endpoint->service_id != 0) if (endpoint->service_id != 0)
target->hif->start(target->hif_dev, target->hif->start(target->hif_dev,
......
...@@ -123,9 +123,6 @@ struct htc_endpoint { ...@@ -123,9 +123,6 @@ struct htc_endpoint {
#define HTC_CONTROL_BUFFER_SIZE \ #define HTC_CONTROL_BUFFER_SIZE \
(HTC_MAX_CONTROL_MESSAGE_LENGTH + sizeof(struct htc_frame_hdr)) (HTC_MAX_CONTROL_MESSAGE_LENGTH + sizeof(struct htc_frame_hdr))
#define NUM_CONTROL_BUFFERS 8
#define HST_ENDPOINT_MAX 8
struct htc_control_buf { struct htc_control_buf {
struct htc_packet htc_pkt; struct htc_packet htc_pkt;
u8 buf[HTC_CONTROL_BUFFER_SIZE]; u8 buf[HTC_CONTROL_BUFFER_SIZE];
...@@ -139,7 +136,7 @@ struct htc_target { ...@@ -139,7 +136,7 @@ struct htc_target {
struct ath9k_htc_priv *drv_priv; struct ath9k_htc_priv *drv_priv;
struct device *dev; struct device *dev;
struct ath9k_htc_hif *hif; struct ath9k_htc_hif *hif;
struct htc_endpoint endpoint[HST_ENDPOINT_MAX]; struct htc_endpoint endpoint[ENDPOINT_MAX];
struct completion target_wait; struct completion target_wait;
struct completion cmd_wait; struct completion cmd_wait;
struct list_head list; struct list_head list;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment