From patchwork Tue May 11 11:33:36 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sujith X-Patchwork-Id: 98697 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter.kernel.org (8.14.3/8.14.3) with ESMTP id o4BBXIHC012417 for ; Tue, 11 May 2010 11:33:18 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752740Ab0EKLdR (ORCPT ); Tue, 11 May 2010 07:33:17 -0400 Received: from mail.atheros.com ([12.36.123.2]:48951 "EHLO mail.atheros.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752132Ab0EKLdQ (ORCPT ); Tue, 11 May 2010 07:33:16 -0400 Received: from mail.atheros.com ([10.10.20.105]) by sidewinder.atheros.com for ; Tue, 11 May 2010 04:33:16 -0700 Received: from CHEXHC-01.global.atheros.com (10.12.0.100) by SC1EXHC-01.global.atheros.com (10.10.20.104) with Microsoft SMTP Server (TLS) id 8.2.213.0; Tue, 11 May 2010 04:33:16 -0700 Received: from kamboji (10.12.0.31) by CHEXHC-01.global.atheros.com (10.12.0.100) with Microsoft SMTP Server (TLS) id 8.2.176.0; Tue, 11 May 2010 17:03:13 +0530 MIME-Version: 1.0 Message-ID: <19433.16528.664690.921021@gargle.gargle.HOWL> Date: Tue, 11 May 2010 17:03:36 +0530 To: CC: , Subject: [PATCH v2 5/5] ath9k_htc: Fix array overflow From: Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.3 (demeter.kernel.org [140.211.167.41]); Tue, 11 May 2010 11:33:18 +0000 (UTC) diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c index e86e172..064397f 100644 --- a/drivers/net/wireless/ath/ath9k/htc_hst.c +++ b/drivers/net/wireless/ath/ath9k/htc_hst.c @@ -39,7 +39,7 @@ static struct htc_endpoint *get_next_avail_ep(struct htc_endpoint *endpoint) { enum htc_endpoint_id avail_epid; - for (avail_epid = ENDPOINT_MAX; avail_epid > ENDPOINT0; avail_epid--) + for (avail_epid = (ENDPOINT_MAX - 1); avail_epid > ENDPOINT0; avail_epid--) if (endpoint[avail_epid].service_id == 0) return &endpoint[avail_epid]; return NULL; @@ -117,7 +117,7 @@ static void htc_process_conn_rsp(struct htc_target *target, max_msglen = be16_to_cpu(svc_rspmsg->max_msg_len); endpoint = &target->endpoint[epid]; - for (tepid = ENDPOINT_MAX; tepid > ENDPOINT0; tepid--) { + for (tepid = (ENDPOINT_MAX - 1); tepid > ENDPOINT0; tepid--) { tmp_endpoint = &target->endpoint[tepid]; if (tmp_endpoint->service_id == service_id) { tmp_endpoint->service_id = 0; @@ -125,7 +125,7 @@ static void htc_process_conn_rsp(struct htc_target *target, } } - if (!tmp_endpoint) + if (tepid == ENDPOINT0) return; endpoint->service_id = service_id; @@ -298,7 +298,7 @@ void htc_stop(struct htc_target *target) enum htc_endpoint_id epid; struct htc_endpoint *endpoint; - for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) { + for (epid = ENDPOINT0; epid < ENDPOINT_MAX; epid++) { endpoint = &target->endpoint[epid]; if (endpoint->service_id != 0) target->hif->stop(target->hif_dev, endpoint->ul_pipeid); @@ -310,7 +310,7 @@ void htc_start(struct htc_target *target) enum htc_endpoint_id epid; struct htc_endpoint *endpoint; - for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) { + for (epid = ENDPOINT0; epid < ENDPOINT_MAX; epid++) { endpoint = &target->endpoint[epid]; if (endpoint->service_id != 0) target->hif->start(target->hif_dev, diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.h b/drivers/net/wireless/ath/ath9k/htc_hst.h index 4f1cdb0..faba679 100644 --- a/drivers/net/wireless/ath/ath9k/htc_hst.h +++ b/drivers/net/wireless/ath/ath9k/htc_hst.h @@ -123,9 +123,6 @@ struct htc_endpoint { #define HTC_CONTROL_BUFFER_SIZE \ (HTC_MAX_CONTROL_MESSAGE_LENGTH + sizeof(struct htc_frame_hdr)) -#define NUM_CONTROL_BUFFERS 8 -#define HST_ENDPOINT_MAX 8 - struct htc_control_buf { struct htc_packet htc_pkt; u8 buf[HTC_CONTROL_BUFFER_SIZE]; @@ -139,7 +136,7 @@ struct htc_target { struct ath9k_htc_priv *drv_priv; struct device *dev; struct ath9k_htc_hif *hif; - struct htc_endpoint endpoint[HST_ENDPOINT_MAX]; + struct htc_endpoint endpoint[ENDPOINT_MAX]; struct completion target_wait; struct completion cmd_wait; struct list_head list;