* [patch 2/9] ath9k: range checking issues in htc_hst.c
@ 2010-05-08 16:22 Dan Carpenter
2010-05-10 4:37 ` Sujith
2010-05-11 5:50 ` Sujith.Manoharan
0 siblings, 2 replies; 7+ messages in thread
From: Dan Carpenter @ 2010-05-08 16:22 UTC (permalink / raw)
To: Luis R. Rodriguez
Cc: Jouni Malinen, Sujith Manoharan, Vasanthakumar Thiagarajan,
Senthil Balasubramanian, John W. Linville, Ming Lei,
linux-wireless, ath9k-devel
The original code had ENDPOINT_MAX and HST_ENDPOINT_MAX switched.
Also the first loop was off by one, it started past the end of the array
and went down to 1 instead of going down to 0. The test at the end of
the loop to see if we exited via a break wasn't right because
"tmp_endpoint" is always non-null here.
Signed-off-by: Dan Carpenter <error27@gmail.com>
diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index 7bf6ce1..0c062d0 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -116,7 +116,7 @@ static void htc_process_conn_rsp(struct htc_target *target,
max_msglen = be16_to_cpu(svc_rspmsg->max_msg_len);
endpoint = &target->endpoint[epid];
- for (tepid = ENDPOINT_MAX; tepid > ENDPOINT0; tepid--) {
+ for (tepid = HST_ENDPOINT_MAX - 1; tepid >= ENDPOINT0; tepid--) {
tmp_endpoint = &target->endpoint[tepid];
if (tmp_endpoint->service_id == service_id) {
tmp_endpoint->service_id = 0;
@@ -124,7 +124,7 @@ static void htc_process_conn_rsp(struct htc_target *target,
}
}
- if (!tmp_endpoint)
+ if (tepid < ENDPOINT0)
return;
endpoint->service_id = service_id;
@@ -297,7 +297,7 @@ void htc_stop(struct htc_target *target)
enum htc_endpoint_id epid;
struct htc_endpoint *endpoint;
- for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) {
+ for (epid = ENDPOINT0; epid < HST_ENDPOINT_MAX; epid++) {
endpoint = &target->endpoint[epid];
if (endpoint->service_id != 0)
target->hif->stop(target->hif_dev, endpoint->ul_pipeid);
@@ -309,7 +309,7 @@ void htc_start(struct htc_target *target)
enum htc_endpoint_id epid;
struct htc_endpoint *endpoint;
- for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) {
+ for (epid = ENDPOINT0; epid < HST_ENDPOINT_MAX; epid++) {
endpoint = &target->endpoint[epid];
if (endpoint->service_id != 0)
target->hif->start(target->hif_dev,
@@ -377,7 +377,7 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle,
htc_hdr = (struct htc_frame_hdr *) skb->data;
epid = htc_hdr->endpoint_id;
- if (epid >= ENDPOINT_MAX) {
+ if (epid >= HST_ENDPOINT_MAX) {
if (pipe_id != USB_REG_IN_PIPE)
dev_kfree_skb_any(skb);
else
^ permalink raw reply related [flat|nested] 7+ messages in thread* [patch 2/9] ath9k: range checking issues in htc_hst.c
2010-05-08 16:22 [patch 2/9] ath9k: range checking issues in htc_hst.c Dan Carpenter
@ 2010-05-10 4:37 ` Sujith
2010-05-10 10:23 ` Dan Carpenter
2010-05-11 5:50 ` Sujith.Manoharan
1 sibling, 1 reply; 7+ messages in thread
From: Sujith @ 2010-05-10 4:37 UTC (permalink / raw)
To: Dan Carpenter
Cc: Luis Rodriguez, Jouni Malinen, Vasanth Thiagarajan,
Senthilkumar Balasubramanian, John W. Linville, Ming Lei,
linux-wireless@vger.kernel.org, ath9k-devel@lists.ath9k.org
Dan Carpenter wrote:
> The original code had ENDPOINT_MAX and HST_ENDPOINT_MAX switched.
Hm, no.
> Also the first loop was off by one, it started past the end of the array
> and went down to 1 instead of going down to 0. The test at the end of
> the loop to see if we exited via a break wasn't right because
> "tmp_endpoint" is always non-null here.
>
> Signed-off-by: Dan Carpenter <error27@gmail.com>
>
> diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
> index 7bf6ce1..0c062d0 100644
> --- a/drivers/net/wireless/ath/ath9k/htc_hst.c
> +++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
> @@ -116,7 +116,7 @@ static void htc_process_conn_rsp(struct htc_target *target,
> max_msglen = be16_to_cpu(svc_rspmsg->max_msg_len);
> endpoint = &target->endpoint[epid];
>
> - for (tepid = ENDPOINT_MAX; tepid > ENDPOINT0; tepid--) {
> + for (tepid = HST_ENDPOINT_MAX - 1; tepid >= ENDPOINT0; tepid--) {
This should be (tepid = (ENDPOINT_MAX - 1); tepid > ENDPOINT0; tepid--),
and the NULL check below can be retained.
This is because ENDPOINT0 is reserved.
> tmp_endpoint = &target->endpoint[tepid];
> if (tmp_endpoint->service_id == service_id) {
> tmp_endpoint->service_id = 0;
> @@ -124,7 +124,7 @@ static void htc_process_conn_rsp(struct htc_target *target,
> }
> }
>
> - if (!tmp_endpoint)
> + if (tepid < ENDPOINT0)
> return;
>
> endpoint->service_id = service_id;
> @@ -297,7 +297,7 @@ void htc_stop(struct htc_target *target)
> enum htc_endpoint_id epid;
> struct htc_endpoint *endpoint;
>
> - for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) {
> + for (epid = ENDPOINT0; epid < HST_ENDPOINT_MAX; epid++) {
ENDPOINT_MAX should be used here, but '<=' should be replaced by '<'.
> endpoint = &target->endpoint[epid];
> if (endpoint->service_id != 0)
> target->hif->stop(target->hif_dev, endpoint->ul_pipeid);
> @@ -309,7 +309,7 @@ void htc_start(struct htc_target *target)
> enum htc_endpoint_id epid;
> struct htc_endpoint *endpoint;
>
> - for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) {
> + for (epid = ENDPOINT0; epid < HST_ENDPOINT_MAX; epid++) {
> endpoint = &target->endpoint[epid];
Same as above.
> if (endpoint->service_id != 0)
> target->hif->start(target->hif_dev,
> @@ -377,7 +377,7 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle,
> htc_hdr = (struct htc_frame_hdr *) skb->data;
> epid = htc_hdr->endpoint_id;
>
> - if (epid >= ENDPOINT_MAX) {
> + if (epid >= HST_ENDPOINT_MAX) {
> if (pipe_id != USB_REG_IN_PIPE)
> dev_kfree_skb_any(skb);
> else
The original check was correct ...
Sujith
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [patch 2/9] ath9k: range checking issues in htc_hst.c
2010-05-10 4:37 ` Sujith
@ 2010-05-10 10:23 ` Dan Carpenter
2010-05-10 10:50 ` Sujith
0 siblings, 1 reply; 7+ messages in thread
From: Dan Carpenter @ 2010-05-10 10:23 UTC (permalink / raw)
To: Sujith
Cc: Luis Rodriguez, Jouni Malinen, Vasanth Thiagarajan,
Senthilkumar Balasubramanian, John W. Linville, Ming Lei,
linux-wireless@vger.kernel.org, ath9k-devel@lists.ath9k.org
On Mon, May 10, 2010 at 10:07:12AM +0530, Sujith wrote:
> Dan Carpenter wrote:
> > The original code had ENDPOINT_MAX and HST_ENDPOINT_MAX switched.
>
> Hm, no.
>
I'm afraid I don't understand. ENDPOINT_MAX is 22 and HST_ENDPOINT_MAX
is 8. The htc_target struct is defined as having 8 endpoints.
drivers/net/wireless/ath/ath9k/htc_hst.h
137 struct htc_target {
138 void *hif_dev;
139 struct ath9k_htc_priv *drv_priv;
140 struct device *dev;
141 struct ath9k_htc_hif *hif;
142 struct htc_endpoint endpoint[HST_ENDPOINT_MAX];
^^^^^^^^^^^^^^^^^^^^^^^^^^^
So in the original code:
drivers/net/wireless/ath/ath9k/htc_hst.c
119 for (tepid = ENDPOINT_MAX; tepid > ENDPOINT0; tepid--) {
120 tmp_endpoint = &target->endpoint[tepid];
^^^^^^^^^^^^^^^^^^^^^^^^^
We are past the end of the array here. 22 vs 7.
Perhaps the htc_target struct should be changed to ENDPOINT_MAX?
regards,
dan carpenter
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [patch 2/9] ath9k: range checking issues in htc_hst.c
2010-05-10 10:23 ` Dan Carpenter
@ 2010-05-10 10:50 ` Sujith
2010-05-10 12:17 ` [ath9k-devel] " Pavel Roskin
0 siblings, 1 reply; 7+ messages in thread
From: Sujith @ 2010-05-10 10:50 UTC (permalink / raw)
To: Dan Carpenter
Cc: Luis Rodriguez, Jouni Malinen, Vasanth Thiagarajan,
Senthilkumar Balasubramanian, John W. Linville, Ming Lei,
linux-wireless@vger.kernel.org, ath9k-devel@lists.ath9k.org
Dan Carpenter wrote:
> I'm afraid I don't understand. ENDPOINT_MAX is 22 and HST_ENDPOINT_MAX
> is 8. The htc_target struct is defined as having 8 endpoints.
>
> drivers/net/wireless/ath/ath9k/htc_hst.h
> 137 struct htc_target {
> 138 void *hif_dev;
> 139 struct ath9k_htc_priv *drv_priv;
> 140 struct device *dev;
> 141 struct ath9k_htc_hif *hif;
> 142 struct htc_endpoint endpoint[HST_ENDPOINT_MAX];
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> So in the original code:
> drivers/net/wireless/ath/ath9k/htc_hst.c
> 119 for (tepid = ENDPOINT_MAX; tepid > ENDPOINT0; tepid--) {
> 120 tmp_endpoint = &target->endpoint[tepid];
> ^^^^^^^^^^^^^^^^^^^^^^^^^
>
> We are past the end of the array here. 22 vs 7.
>
> Perhaps the htc_target struct should be changed to ENDPOINT_MAX?
Ah right. That should be fixed.
Sujith
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [ath9k-devel] [patch 2/9] ath9k: range checking issues in htc_hst.c
2010-05-10 10:50 ` Sujith
@ 2010-05-10 12:17 ` Pavel Roskin
0 siblings, 0 replies; 7+ messages in thread
From: Pavel Roskin @ 2010-05-10 12:17 UTC (permalink / raw)
To: Sujith
Cc: Dan Carpenter, Vasanth Thiagarajan, Luis Rodriguez,
linux-wireless@vger.kernel.org, John W. Linville,
Senthilkumar Balasubramanian, ath9k-devel@lists.ath9k.org,
Jouni Malinen
On Mon, 2010-05-10 at 16:20 +0530, Sujith wrote:
> Ah right. That should be fixed.
I suggest using ARRAY_SIZE(target->endpoint) to be sure.
--
Regards,
Pavel Roskin
^ permalink raw reply [flat|nested] 7+ messages in thread
* [patch 2/9] ath9k: range checking issues in htc_hst.c
2010-05-08 16:22 [patch 2/9] ath9k: range checking issues in htc_hst.c Dan Carpenter
2010-05-10 4:37 ` Sujith
@ 2010-05-11 5:50 ` Sujith.Manoharan
2010-05-11 9:29 ` Dan Carpenter
1 sibling, 1 reply; 7+ messages in thread
From: Sujith.Manoharan @ 2010-05-11 5:50 UTC (permalink / raw)
To: Dan Carpenter
Cc: Luis Rodriguez, Jouni Malinen, Vasanth Thiagarajan,
Senthilkumar Balasubramanian, John W. Linville, Ming Lei,
linux-wireless@vger.kernel.org, ath9k-devel@lists.ath9k.org
Dan Carpenter wrote:
> The original code had ENDPOINT_MAX and HST_ENDPOINT_MAX switched.
>
> Also the first loop was off by one, it started past the end of the array
> and went down to 1 instead of going down to 0. The test at the end of
> the loop to see if we exited via a break wasn't right because
> "tmp_endpoint" is always non-null here.
This is a very good catch and fixes a stack corruption issue.
Do you mind if I work upon this patch and send out an updated fix ?
Sujith
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [patch 2/9] ath9k: range checking issues in htc_hst.c
2010-05-11 5:50 ` Sujith.Manoharan
@ 2010-05-11 9:29 ` Dan Carpenter
0 siblings, 0 replies; 7+ messages in thread
From: Dan Carpenter @ 2010-05-11 9:29 UTC (permalink / raw)
To: Sujith.Manoharan
Cc: Luis Rodriguez, Jouni Malinen, Vasanth Thiagarajan,
Senthilkumar Balasubramanian, John W. Linville, Ming Lei,
linux-wireless@vger.kernel.org, ath9k-devel@lists.ath9k.org
On Tue, May 11, 2010 at 11:20:02AM +0530, Sujith.Manoharan@atheros.com wrote:
> Dan Carpenter wrote:
> > The original code had ENDPOINT_MAX and HST_ENDPOINT_MAX switched.
> >
> > Also the first loop was off by one, it started past the end of the array
> > and went down to 1 instead of going down to 0. The test at the end of
> > the loop to see if we exited via a break wasn't right because
> > "tmp_endpoint" is always non-null here.
>
> This is a very good catch and fixes a stack corruption issue.
> Do you mind if I work upon this patch and send out an updated fix ?
>
> Sujith
Sorry, I meant to do that yesterday but I was out of it. Yes. Please
send the updated fix.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2010-05-11 9:30 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-05-08 16:22 [patch 2/9] ath9k: range checking issues in htc_hst.c Dan Carpenter
2010-05-10 4:37 ` Sujith
2010-05-10 10:23 ` Dan Carpenter
2010-05-10 10:50 ` Sujith
2010-05-10 12:17 ` [ath9k-devel] " Pavel Roskin
2010-05-11 5:50 ` Sujith.Manoharan
2010-05-11 9:29 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).