From 8116daf2146d8fbc5d8d925984b3d4fd34dba1b4 Mon Sep 17 00:00:00 2001 From: "Sujith.Manoharan@atheros.com" Date: Tue, 11 May 2010 17:03:36 +0530 Subject: [PATCH] ath9k_htc: Fix array overflow Use ENDPOINT_MAX instead of HST_ENDPOINT_MAX. This fixes a stack corruption issue. This is based on a patch sent by Dan Carpenter . Signed-off-by: Dan Carpenter Signed-off-by: Sujith Signed-off-by: John W. Linville --- drivers/net/wireless/ath/ath9k/htc_hst.c | 10 +++++----- drivers/net/wireless/ath/ath9k/htc_hst.h | 5 +---- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c index e86e1728c8de..064397fd738e 100644 --- a/drivers/net/wireless/ath/ath9k/htc_hst.c +++ b/drivers/net/wireless/ath/ath9k/htc_hst.c @@ -39,7 +39,7 @@ static struct htc_endpoint *get_next_avail_ep(struct htc_endpoint *endpoint) { enum htc_endpoint_id avail_epid; - for (avail_epid = ENDPOINT_MAX; avail_epid > ENDPOINT0; avail_epid--) + for (avail_epid = (ENDPOINT_MAX - 1); avail_epid > ENDPOINT0; avail_epid--) if (endpoint[avail_epid].service_id == 0) return &endpoint[avail_epid]; return NULL; @@ -117,7 +117,7 @@ static void htc_process_conn_rsp(struct htc_target *target, max_msglen = be16_to_cpu(svc_rspmsg->max_msg_len); endpoint = &target->endpoint[epid]; - for (tepid = ENDPOINT_MAX; tepid > ENDPOINT0; tepid--) { + for (tepid = (ENDPOINT_MAX - 1); tepid > ENDPOINT0; tepid--) { tmp_endpoint = &target->endpoint[tepid]; if (tmp_endpoint->service_id == service_id) { tmp_endpoint->service_id = 0; @@ -125,7 +125,7 @@ static void htc_process_conn_rsp(struct htc_target *target, } } - if (!tmp_endpoint) + if (tepid == ENDPOINT0) return; endpoint->service_id = service_id; @@ -298,7 +298,7 @@ void htc_stop(struct htc_target *target) enum htc_endpoint_id epid; struct htc_endpoint *endpoint; - for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) { + for (epid = ENDPOINT0; epid < ENDPOINT_MAX; epid++) { endpoint = &target->endpoint[epid]; if (endpoint->service_id != 0) target->hif->stop(target->hif_dev, endpoint->ul_pipeid); @@ -310,7 +310,7 @@ void htc_start(struct htc_target *target) enum htc_endpoint_id epid; struct htc_endpoint *endpoint; - for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) { + for (epid = ENDPOINT0; epid < ENDPOINT_MAX; epid++) { endpoint = &target->endpoint[epid]; if (endpoint->service_id != 0) target->hif->start(target->hif_dev, diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.h b/drivers/net/wireless/ath/ath9k/htc_hst.h index 4f1cdb003cce..faba6790328b 100644 --- a/drivers/net/wireless/ath/ath9k/htc_hst.h +++ b/drivers/net/wireless/ath/ath9k/htc_hst.h @@ -123,9 +123,6 @@ struct htc_endpoint { #define HTC_CONTROL_BUFFER_SIZE \ (HTC_MAX_CONTROL_MESSAGE_LENGTH + sizeof(struct htc_frame_hdr)) -#define NUM_CONTROL_BUFFERS 8 -#define HST_ENDPOINT_MAX 8 - struct htc_control_buf { struct htc_packet htc_pkt; u8 buf[HTC_CONTROL_BUFFER_SIZE]; @@ -139,7 +136,7 @@ struct htc_target { struct ath9k_htc_priv *drv_priv; struct device *dev; struct ath9k_htc_hif *hif; - struct htc_endpoint endpoint[HST_ENDPOINT_MAX]; + struct htc_endpoint endpoint[ENDPOINT_MAX]; struct completion target_wait; struct completion cmd_wait; struct list_head list; -- 2.20.1