ath9k_htc: Fix array overflow
Use ENDPOINT_MAX instead of HST_ENDPOINT_MAX. This fixes a stack corruption issue. This is based on a patch sent by Dan Carpenter <error27@gmail.com>. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Sujith <Sujith.Manoharan@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
parent
d8c49ffb2e
commit
8116daf214
|
@ -39,7 +39,7 @@ static struct htc_endpoint *get_next_avail_ep(struct htc_endpoint *endpoint)
|
|||
{
|
||||
enum htc_endpoint_id avail_epid;
|
||||
|
||||
for (avail_epid = ENDPOINT_MAX; avail_epid > ENDPOINT0; avail_epid--)
|
||||
for (avail_epid = (ENDPOINT_MAX - 1); avail_epid > ENDPOINT0; avail_epid--)
|
||||
if (endpoint[avail_epid].service_id == 0)
|
||||
return &endpoint[avail_epid];
|
||||
return NULL;
|
||||
|
@ -117,7 +117,7 @@ static void htc_process_conn_rsp(struct htc_target *target,
|
|||
max_msglen = be16_to_cpu(svc_rspmsg->max_msg_len);
|
||||
endpoint = &target->endpoint[epid];
|
||||
|
||||
for (tepid = ENDPOINT_MAX; tepid > ENDPOINT0; tepid--) {
|
||||
for (tepid = (ENDPOINT_MAX - 1); tepid > ENDPOINT0; tepid--) {
|
||||
tmp_endpoint = &target->endpoint[tepid];
|
||||
if (tmp_endpoint->service_id == service_id) {
|
||||
tmp_endpoint->service_id = 0;
|
||||
|
@ -125,7 +125,7 @@ static void htc_process_conn_rsp(struct htc_target *target,
|
|||
}
|
||||
}
|
||||
|
||||
if (!tmp_endpoint)
|
||||
if (tepid == ENDPOINT0)
|
||||
return;
|
||||
|
||||
endpoint->service_id = service_id;
|
||||
|
@ -298,7 +298,7 @@ void htc_stop(struct htc_target *target)
|
|||
enum htc_endpoint_id epid;
|
||||
struct htc_endpoint *endpoint;
|
||||
|
||||
for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) {
|
||||
for (epid = ENDPOINT0; epid < ENDPOINT_MAX; epid++) {
|
||||
endpoint = &target->endpoint[epid];
|
||||
if (endpoint->service_id != 0)
|
||||
target->hif->stop(target->hif_dev, endpoint->ul_pipeid);
|
||||
|
@ -310,7 +310,7 @@ void htc_start(struct htc_target *target)
|
|||
enum htc_endpoint_id epid;
|
||||
struct htc_endpoint *endpoint;
|
||||
|
||||
for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) {
|
||||
for (epid = ENDPOINT0; epid < ENDPOINT_MAX; epid++) {
|
||||
endpoint = &target->endpoint[epid];
|
||||
if (endpoint->service_id != 0)
|
||||
target->hif->start(target->hif_dev,
|
||||
|
|
|
@ -123,9 +123,6 @@ struct htc_endpoint {
|
|||
#define HTC_CONTROL_BUFFER_SIZE \
|
||||
(HTC_MAX_CONTROL_MESSAGE_LENGTH + sizeof(struct htc_frame_hdr))
|
||||
|
||||
#define NUM_CONTROL_BUFFERS 8
|
||||
#define HST_ENDPOINT_MAX 8
|
||||
|
||||
struct htc_control_buf {
|
||||
struct htc_packet htc_pkt;
|
||||
u8 buf[HTC_CONTROL_BUFFER_SIZE];
|
||||
|
@ -139,7 +136,7 @@ struct htc_target {
|
|||
struct ath9k_htc_priv *drv_priv;
|
||||
struct device *dev;
|
||||
struct ath9k_htc_hif *hif;
|
||||
struct htc_endpoint endpoint[HST_ENDPOINT_MAX];
|
||||
struct htc_endpoint endpoint[ENDPOINT_MAX];
|
||||
struct completion target_wait;
|
||||
struct completion cmd_wait;
|
||||
struct list_head list;
|
||||
|
|
Loading…
Reference in New Issue