summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLuciano Coelho <coelho@ti.com>2011-12-13 10:39:02 +0100
committerLuciano Coelho <coelho@ti.com>2011-12-15 08:58:41 +0100
commitf414218ed8bc716825755c9cf59f16a19f28314a (patch)
treee2374f0aa4635694bf9d55e00d93e88e4dcb33b8
parentwl12xx: Restore testmode ABI (diff)
downloadlinux-f414218ed8bc716825755c9cf59f16a19f28314a.tar.xz
linux-f414218ed8bc716825755c9cf59f16a19f28314a.zip
wl12xx: don't write out of bounds when hlid > WL12XX_MAX_LINKS
We should not get an hlid value bigger than WL12XX_MAX_LINKS from wl1271_rx_handle_data(). We have a WARN_ON in case it happens. But despite the warning, we would still go ahead and write the hlid bit into active_hlids (a stack variable). This would cause us to overwrite other data in the stack. To avoid this problem, we now skip the write when issuing the warning, so at least we don't corrupt data. Signed-off-by: Luciano Coelho <coelho@ti.com>
-rw-r--r--drivers/net/wireless/wl12xx/rx.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/drivers/net/wireless/wl12xx/rx.c b/drivers/net/wireless/wl12xx/rx.c
index 8c277c0cb372..4fbd2a722ffa 100644
--- a/drivers/net/wireless/wl12xx/rx.c
+++ b/drivers/net/wireless/wl12xx/rx.c
@@ -258,8 +258,12 @@ void wl12xx_rx(struct wl1271 *wl, struct wl12xx_fw_status *status)
wl->aggr_buf + pkt_offset,
pkt_length, unaligned,
&hlid) == 1) {
- WARN_ON(hlid >= WL12XX_MAX_LINKS);
- __set_bit(hlid, active_hlids);
+ if (hlid < WL12XX_MAX_LINKS)
+ __set_bit(hlid, active_hlids);
+ else
+ WARN(1,
+ "hlid exceeded WL12XX_MAX_LINKS "
+ "(%d)\n", hlid);
}
wl->rx_counter++;