From: Shahar S Matityahu <shahar.s.matityahu@xxxxxxxxx>
The size of the buffer is IWL_FW_TRIGGER_ID_NUM - 1 which is equal to
IWL_FW_TRIGGER_ID_HOST_CHANNEL_SWITCH_COMPLETE so if the driver receives
this trigger, it will cause a buffer overflow.
Solve this by increasing the buffer size by 1.
Signed-off-by: Shahar S Matityahu <shahar.s.matityahu@xxxxxxxxx>
Fixes: fe1b7d6c2888 ("iwlwifi: add support for triggering ini triggers")
Signed-off-by: Luca Coelho <luciano.coelho@xxxxxxxxx>
---
drivers/net/wireless/intel/iwlwifi/fw/runtime.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/fw/runtime.h b/drivers/net/wireless/intel/iwlwifi/fw/runtime.h
index 41c4a3e7ad82..6e843998d1c8 100644
--- a/drivers/net/wireless/intel/iwlwifi/fw/runtime.h
+++ b/drivers/net/wireless/intel/iwlwifi/fw/runtime.h
@@ -138,7 +138,7 @@ struct iwl_fw_runtime {
u8 conf;
/* ts of the beginning of a non-collect fw dbg data period */
- unsigned long non_collect_ts_start[IWL_FW_TRIGGER_ID_NUM - 1];
+ unsigned long non_collect_ts_start[IWL_FW_TRIGGER_ID_NUM];
u32 *d3_debug_data;
struct iwl_fw_ini_region_cfg *active_regs[IWL_FW_INI_MAX_REGION_ID];
struct iwl_fw_ini_active_triggers active_trigs[IWL_FW_TRIGGER_ID_NUM];
--
2.20.1
