ath9k_htc: Fix array overflow

Use ENDPOINT_MAX instead of HST_ENDPOINT_MAX.
This fixes a stack corruption issue.

This is based on a patch sent by Dan Carpenter <error27@gmail.com>.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Sujith <Sujith.Manoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index e86e1728c8de1fe44fe850fab956528caeeca37c..064397fd738e5572dd2f68dea5f4221b48cfb01b 100644 (file)
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -39,7 +39,7 @@ static struct htc_endpoint *get_next_avail_ep(struct htc_endpoint *endpoint)
 {
        enum htc_endpoint_id avail_epid;
 
-       for (avail_epid = ENDPOINT_MAX; avail_epid > ENDPOINT0; avail_epid--)
+       for (avail_epid = (ENDPOINT_MAX - 1); avail_epid > ENDPOINT0; avail_epid--)
                if (endpoint[avail_epid].service_id == 0)
                        return &endpoint[avail_epid];
        return NULL;
@@ -117,7 +117,7 @@ static void htc_process_conn_rsp(struct htc_target *target,
                max_msglen = be16_to_cpu(svc_rspmsg->max_msg_len);
                endpoint = &target->endpoint[epid];
 
-               for (tepid = ENDPOINT_MAX; tepid > ENDPOINT0; tepid--) {
+               for (tepid = (ENDPOINT_MAX - 1); tepid > ENDPOINT0; tepid--) {
                        tmp_endpoint = &target->endpoint[tepid];
                        if (tmp_endpoint->service_id == service_id) {
                                tmp_endpoint->service_id = 0;
@@ -125,7 +125,7 @@ static void htc_process_conn_rsp(struct htc_target *target,
                        }
                }
 
-               if (!tmp_endpoint)
+               if (tepid == ENDPOINT0)
                        return;
 
                endpoint->service_id = service_id;
@@ -298,7 +298,7 @@ void htc_stop(struct htc_target *target)
        enum htc_endpoint_id epid;
        struct htc_endpoint *endpoint;
 
-       for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) {
+       for (epid = ENDPOINT0; epid < ENDPOINT_MAX; epid++) {
                endpoint = &target->endpoint[epid];
                if (endpoint->service_id != 0)
                        target->hif->stop(target->hif_dev, endpoint->ul_pipeid);
@@ -310,7 +310,7 @@ void htc_start(struct htc_target *target)
        enum htc_endpoint_id epid;
        struct htc_endpoint *endpoint;
 
-       for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) {
+       for (epid = ENDPOINT0; epid < ENDPOINT_MAX; epid++) {
                endpoint = &target->endpoint[epid];
                if (endpoint->service_id != 0)
                        target->hif->start(target->hif_dev,

diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.h b/drivers/net/wireless/ath/ath9k/htc_hst.h
index 4f1cdb003ccecc944cd0eb9843ad989aa2f6bdbd..faba6790328b42ae20520ffee47cf90799e788f0 100644 (file)
--- a/drivers/net/wireless/ath/ath9k/htc_hst.h
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.h
@@ -123,9 +123,6 @@ struct htc_endpoint {
 #define HTC_CONTROL_BUFFER_SIZE        \
        (HTC_MAX_CONTROL_MESSAGE_LENGTH + sizeof(struct htc_frame_hdr))
 
-#define NUM_CONTROL_BUFFERS 8
-#define HST_ENDPOINT_MAX 8
-
 struct htc_control_buf {
        struct htc_packet htc_pkt;
        u8 buf[HTC_CONTROL_BUFFER_SIZE];
@@ -139,7 +136,7 @@ struct htc_target {
        struct ath9k_htc_priv *drv_priv;
        struct device *dev;
        struct ath9k_htc_hif *hif;
-       struct htc_endpoint endpoint[HST_ENDPOINT_MAX];
+       struct htc_endpoint endpoint[ENDPOINT_MAX];
        struct completion target_wait;
        struct completion cmd_wait;
        struct list_head list;