[PATCH 5/5] ath9k_htc: Fix array overflow

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 5/5] ath9k_htc: Fix array overflow
@ 2010-05-11 10:55 Sujith.Manoharan
  2010-05-11 11:23 ` Dan Carpenter
  0 siblings, 1 reply; 3+ messages in thread
From: Sujith.Manoharan @ 2010-05-11 10:55 UTC (permalink / raw)
  To: linville; +Cc: linux-wireless, error27

Use ENDPOINT_MAX instead of HST_ENDPOINT_MAX.
This fixes a stack corruption issue.

This is based on a patch sent by Dan Carpenter <error27@gmail.com>.

Cc: Dan Carpenter <error27@gmail.com>
Signed-off-by: Sujith <Sujith.Manoharan@atheros.com>
---
 drivers/net/wireless/ath/ath9k/htc_hst.c |    8 ++++----
 drivers/net/wireless/ath/ath9k/htc_hst.h |    5 +----
 2 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index e86e172..5cd5e2f 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -39,7 +39,7 @@ static struct htc_endpoint *get_next_avail_ep(struct htc_endpoint *endpoint)
 {
 	enum htc_endpoint_id avail_epid;
 
-	for (avail_epid = ENDPOINT_MAX; avail_epid > ENDPOINT0; avail_epid--)
+	for (avail_epid = (ENDPOINT_MAX - 1); avail_epid > ENDPOINT0; avail_epid--)
 		if (endpoint[avail_epid].service_id == 0)
 			return &endpoint[avail_epid];
 	return NULL;
@@ -117,7 +117,7 @@ static void htc_process_conn_rsp(struct htc_target *target,
 		max_msglen = be16_to_cpu(svc_rspmsg->max_msg_len);
 		endpoint = &target->endpoint[epid];
 
-		for (tepid = ENDPOINT_MAX; tepid > ENDPOINT0; tepid--) {
+		for (tepid = (ENDPOINT_MAX - 1); tepid > ENDPOINT0; tepid--) {
 			tmp_endpoint = &target->endpoint[tepid];
 			if (tmp_endpoint->service_id == service_id) {
 				tmp_endpoint->service_id = 0;
@@ -298,7 +298,7 @@ void htc_stop(struct htc_target *target)
 	enum htc_endpoint_id epid;
 	struct htc_endpoint *endpoint;
 
-	for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) {
+	for (epid = ENDPOINT0; epid < ENDPOINT_MAX; epid++) {
 		endpoint = &target->endpoint[epid];
 		if (endpoint->service_id != 0)
 			target->hif->stop(target->hif_dev, endpoint->ul_pipeid);
@@ -310,7 +310,7 @@ void htc_start(struct htc_target *target)
 	enum htc_endpoint_id epid;
 	struct htc_endpoint *endpoint;
 
-	for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) {
+	for (epid = ENDPOINT0; epid < ENDPOINT_MAX; epid++) {
 		endpoint = &target->endpoint[epid];
 		if (endpoint->service_id != 0)
 			target->hif->start(target->hif_dev,
diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.h b/drivers/net/wireless/ath/ath9k/htc_hst.h
index 4f1cdb0..faba679 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.h
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.h
@@ -123,9 +123,6 @@ struct htc_endpoint {
 #define HTC_CONTROL_BUFFER_SIZE	\
 	(HTC_MAX_CONTROL_MESSAGE_LENGTH + sizeof(struct htc_frame_hdr))
 
-#define NUM_CONTROL_BUFFERS 8
-#define HST_ENDPOINT_MAX 8
-
 struct htc_control_buf {
 	struct htc_packet htc_pkt;
 	u8 buf[HTC_CONTROL_BUFFER_SIZE];
@@ -139,7 +136,7 @@ struct htc_target {
 	struct ath9k_htc_priv *drv_priv;
 	struct device *dev;
 	struct ath9k_htc_hif *hif;
-	struct htc_endpoint endpoint[HST_ENDPOINT_MAX];
+	struct htc_endpoint endpoint[ENDPOINT_MAX];
 	struct completion target_wait;
 	struct completion cmd_wait;
 	struct list_head list;
-- 
1.7.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH 5/5] ath9k_htc: Fix array overflow
  2010-05-11 10:55 [PATCH 5/5] ath9k_htc: Fix array overflow Sujith.Manoharan
@ 2010-05-11 11:23 ` Dan Carpenter
  2010-05-11 11:30   ` Sujith.Manoharan
  0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2010-05-11 11:23 UTC (permalink / raw)
  To: Sujith.Manoharan; +Cc: linville, linux-wireless

On Tue, May 11, 2010 at 04:25:32PM +0530, Sujith.Manoharan@atheros.com wrote:
> Use ENDPOINT_MAX instead of HST_ENDPOINT_MAX.
> This fixes a stack corruption issue.
> 
> This is based on a patch sent by Dan Carpenter <error27@gmail.com>.
> 

There is a bit missing.  The tmp_endpoint variable is always non-null 
here.  Can you just roll this into your patch?

Signed-off-by: Dan Carpenter <error27@gmail.com>

diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index 6a062a3..02e8e0f 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -124,7 +124,7 @@ static void htc_process_conn_rsp(struct htc_target *target,
 			}
 		}
 
-		if (!tmp_endpoint)
+		if (tepid == ENDPOINT0)
 			return;
 
 		endpoint->service_id = service_id;

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH 5/5] ath9k_htc: Fix array overflow
  2010-05-11 11:23 ` Dan Carpenter
@ 2010-05-11 11:30   ` Sujith.Manoharan
  0 siblings, 0 replies; 3+ messages in thread
From: Sujith.Manoharan @ 2010-05-11 11:30 UTC (permalink / raw)
  To: Dan Carpenter; +Cc: linville@tuxdriver.com, linux-wireless@vger.kernel.org

Dan Carpenter wrote:
> On Tue, May 11, 2010 at 04:25:32PM +0530, Sujith.Manoharan@atheros.com wrote:
> > Use ENDPOINT_MAX instead of HST_ENDPOINT_MAX.
> > This fixes a stack corruption issue.
> > 
> > This is based on a patch sent by Dan Carpenter <error27@gmail.com>.
> > 
> 
> There is a bit missing.  The tmp_endpoint variable is always non-null 
> here.  Can you just roll this into your patch?

Sure, patch on its way.

Sujith

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2010-05-11 11:30 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-05-11 10:55 [PATCH 5/5] ath9k_htc: Fix array overflow Sujith.Manoharan
2010-05-11 11:23 ` Dan Carpenter
2010-05-11 11:30   ` Sujith.Manoharan

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.