On 18 September 2013 14:36, Bartosz Markowski
<bartosz.markowski@xxxxxxxxx> wrote:
> On 18 September 2013 12:51, Michal Kazior <michal.kazior@xxxxxxxxx> wrote:
>> On 18 September 2013 11:47, Bartosz Markowski
>>> + ar->hif.ops->chunk_free(ar, idx);
>>> +}
>>> +
>>> #endif /* _HIF_H_ */
>>> diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c
>>> index f1faf46..547d67d 100644
>>> --- a/drivers/net/wireless/ath/ath10k/pci.c
>>> +++ b/drivers/net/wireless/ath/ath10k/pci.c
>>> @@ -1966,6 +1966,49 @@ static int ath10k_pci_hif_resume(struct ath10k *ar)
>>> }
>>> #endif
>>>
>>> +static int ath10k_pci_hif_chunk_alloc(struct ath10k *ar,
>>> + u32 req_id,
>>> + u32 idx,
>>> + u32 num_units,
>>> + u32 unit_len)
>>> +{
>>> + dma_addr_t paddr;
>>> + struct ath10k_pci *ar_pci = ath10k_pci_priv(ar);
>>> +
>>> + if (!num_units || !unit_len)
>>> + return 0;
>>> +
>>
>> I'm not seeing any checks against buffer overflow of mem_chunks[req_id].
>
> if (idx == ATH10K_MAX_MEM_CHUNKS) in ath10k_wmi_alloc_host_mem ?
Oh, but the check is _after_ call to chunk_alloc(). What if
ath10k_wmi_alloc_host_mem() were to be called while idx == MAX?
Michał.
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
