diff options
author | Sujith.Manoharan@atheros.com <Sujith.Manoharan@atheros.com> | 2010-05-11 13:33:36 +0200 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2010-05-12 22:39:06 +0200 |
commit | 8116daf2146d8fbc5d8d925984b3d4fd34dba1b4 (patch) | |
tree | 233a47f5e67c85878101241b9011e6b51605b529 /drivers/net/wireless/ath/ath9k/htc_hst.c | |
parent | ath9k_htc: Fix target ready race condition (diff) | |
download | linux-8116daf2146d8fbc5d8d925984b3d4fd34dba1b4.tar.xz linux-8116daf2146d8fbc5d8d925984b3d4fd34dba1b4.zip |
ath9k_htc: Fix array overflow
Use ENDPOINT_MAX instead of HST_ENDPOINT_MAX.
This fixes a stack corruption issue.
This is based on a patch sent by Dan Carpenter <error27@gmail.com>.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Sujith <Sujith.Manoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/ath/ath9k/htc_hst.c')
-rw-r--r-- | drivers/net/wireless/ath/ath9k/htc_hst.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c index e86e1728c8de..064397fd738e 100644 --- a/drivers/net/wireless/ath/ath9k/htc_hst.c +++ b/drivers/net/wireless/ath/ath9k/htc_hst.c @@ -39,7 +39,7 @@ static struct htc_endpoint *get_next_avail_ep(struct htc_endpoint *endpoint) { enum htc_endpoint_id avail_epid; - for (avail_epid = ENDPOINT_MAX; avail_epid > ENDPOINT0; avail_epid--) + for (avail_epid = (ENDPOINT_MAX - 1); avail_epid > ENDPOINT0; avail_epid--) if (endpoint[avail_epid].service_id == 0) return &endpoint[avail_epid]; return NULL; @@ -117,7 +117,7 @@ static void htc_process_conn_rsp(struct htc_target *target, max_msglen = be16_to_cpu(svc_rspmsg->max_msg_len); endpoint = &target->endpoint[epid]; - for (tepid = ENDPOINT_MAX; tepid > ENDPOINT0; tepid--) { + for (tepid = (ENDPOINT_MAX - 1); tepid > ENDPOINT0; tepid--) { tmp_endpoint = &target->endpoint[tepid]; if (tmp_endpoint->service_id == service_id) { tmp_endpoint->service_id = 0; @@ -125,7 +125,7 @@ static void htc_process_conn_rsp(struct htc_target *target, } } - if (!tmp_endpoint) + if (tepid == ENDPOINT0) return; endpoint->service_id = service_id; @@ -298,7 +298,7 @@ void htc_stop(struct htc_target *target) enum htc_endpoint_id epid; struct htc_endpoint *endpoint; - for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) { + for (epid = ENDPOINT0; epid < ENDPOINT_MAX; epid++) { endpoint = &target->endpoint[epid]; if (endpoint->service_id != 0) target->hif->stop(target->hif_dev, endpoint->ul_pipeid); @@ -310,7 +310,7 @@ void htc_start(struct htc_target *target) enum htc_endpoint_id epid; struct htc_endpoint *endpoint; - for (epid = ENDPOINT0; epid <= ENDPOINT_MAX; epid++) { + for (epid = ENDPOINT0; epid < ENDPOINT_MAX; epid++) { endpoint = &target->endpoint[epid]; if (endpoint->service_id != 0) target->hif->start(target->hif_dev, |