From e7c893caf6ac71e4f2c012f570f6df00153dec41 Mon Sep 17 00:00:00 2001
From: Youngsoo Kim <youngss.kim@samsung.com>
Date: Wed, 29 Aug 2018 23:03:42 +0900
Subject: [PATCH] [9610] wlbt: fix prevent issue CID:240470,240473,240480

drivers/net/wireless/scsc/hip4_smapper.c

CID 240470 (#1 of 1): Out-of-bounds write (OVERRUN)
	6. overrun-local: Overrunning array control->lookuptable of 10 bytes at byte offset 251 using index bank->bank (which evaluates to 251).

CID 240473 (#1 of 1): Out-of-bounds read (OVERRUN)
	4. overrun-local: Overrunning array control->lookuptable of 10 bytes at byte offset 10 using index bank_num (which evaluates to 10).

drivers/misc/samsung/scsc/mxlogger.h

CID 240480 (#1 of 1): Uninitialized scalar variable (UNINIT)
	2. uninit_use_in_call: Using uninitialized value sync_r. Field sync_r.fw_time is uninitialized when calling memcpy. [Note: The source code implementation of the function has been overridden by a builtin model.]

Change-Id: I5fd7e08d84d0d2e21c9416229f827043d55a2e79
---
 drivers/misc/samsung/scsc/mxlogger.c     | 2 +-
 drivers/net/wireless/scsc/hip4_smapper.c | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/samsung/scsc/mxlogger.c b/drivers/misc/samsung/scsc/mxlogger.c
index 4f73f1edd8ab..6272083e9a36 100644
--- a/drivers/misc/samsung/scsc/mxlogger.c
+++ b/drivers/misc/samsung/scsc/mxlogger.c
@@ -220,7 +220,7 @@ static void mxlogger_message_handler(const void *message, void *data)
 
 static int __mxlogger_generate_sync_record(struct mxlogger *mxlogger, enum mxlogger_sync_event event)
 {
-	struct mxlogger_sync_record sync_r;
+	struct mxlogger_sync_record sync_r = {};
 	struct timeval t;
 	struct log_msg_packet msg = {};
 	void *mem;
diff --git a/drivers/net/wireless/scsc/hip4_smapper.c b/drivers/net/wireless/scsc/hip4_smapper.c
index ca0dfb78a2a1..3d1bab7d2365 100644
--- a/drivers/net/wireless/scsc/hip4_smapper.c
+++ b/drivers/net/wireless/scsc/hip4_smapper.c
@@ -26,6 +26,8 @@ static int hip4_smapper_alloc_bank(struct slsi_dev *sdev, struct hip4_priv *priv
 	SLSI_DBG4_NODEV(SLSI_SMAPPER, "Init bank %d entry_size %d is_large %d\n", bank_name, entry_size, is_large);
 	bank->entry_size = entry_size;
 	bank->bank = scsc_service_mifsmapper_alloc_bank(sdev->service, is_large, bank->entry_size, &bank->entries);
+	if(bank->bank < 0)
+		return bank->bank;
 	bank->skbuff = kmalloc_array(bank->entries, sizeof(struct sk_buff *),
 					GFP_KERNEL);
 	bank->skbuff_dma = kmalloc_array(bank->entries, sizeof(dma_addr_t),
@@ -205,7 +207,7 @@ int hip4_smapper_consume_entry(struct slsi_dev *sdev, struct slsi_hip4 *hip, str
 	headroom = desc->headroom;
 
 
-	if (bank_num > HIP4_SMAPPER_TOTAL_BANKS) {
+	if (bank_num >= HIP4_SMAPPER_TOTAL_BANKS) {
 		SLSI_DBG4_NODEV(SLSI_SMAPPER, "Incorrect bank_num %d\n", bank_num);
 		goto error;
 	}
-- 
2.20.1