Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

ath6kl: Array index out of bounds check

The variable assigned_ep can be assigned value of -1 and is never
checked if it equals -1. So the endpoint array can have -1  as the index
value and can be out of bounds.

The value of assigned_ep is checked for -1 and is ensured that the
endpoint array doesn't go out of bounds.

Signed-off-by: Pandiyarajan Pitchaimuthu <c_ppitch@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Pandiyarajan Pitchaimuthu 12 years ago
parent
698bf867d0
commit
86aa7c1efc
1 changed files with 2 additions and 1 deletions
Split View Show Diff Stats
  1. 2 1
      drivers/net/wireless/ath/ath6kl/htc_mbox.c

+ 2 - 1
drivers/net/wireless/ath/ath6kl/htc_mbox.c
View File 

@@ -2492,7 +2492,8 @@ static int ath6kl_htc_mbox_conn_service(struct htc_target *target,
 
 		max_msg_sz = le16_to_cpu(resp_msg->max_msg_sz);
 
 	}
 
 
-	if (assigned_ep >= ENDPOINT_MAX || !max_msg_sz) {
 
+	if (WARN_ON_ONCE(assigned_ep == ENDPOINT_UNUSED ||
 
+			 assigned_ep >= ENDPOINT_MAX || !max_msg_sz)) {
 
 		status = -ENOMEM;
 
 		goto fail_tx;
 
 	}