From: Jérôme Pouiller <jerome.pouiller@xxxxxxxxxx> Size of hif_mib_template_frame must be sufficient to contains bytes declared by frame_length and cannot exceed 700bytes. Change the API to reflect that. Signed-off-by: Jérôme Pouiller <jerome.pouiller@xxxxxxxxxx> --- drivers/staging/wfx/hif_api_mib.h | 4 +++- drivers/staging/wfx/hif_tx_mib.c | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/staging/wfx/hif_api_mib.h b/drivers/staging/wfx/hif_api_mib.h index 0490157b4f3b..9f30cf503ad5 100644 --- a/drivers/staging/wfx/hif_api_mib.h +++ b/drivers/staging/wfx/hif_api_mib.h @@ -270,12 +270,14 @@ enum hif_tmplt { HIF_TMPLT_NA = 0x7 }; +#define HIF_API_MAX_TEMPLATE_FRAME_SIZE 700 + struct hif_mib_template_frame { u8 frame_type; u8 init_rate:7; u8 mode:1; __le16 frame_length; - u8 frame[700]; + u8 frame[]; } __packed; struct hif_mib_beacon_wake_up_period { diff --git a/drivers/staging/wfx/hif_tx_mib.c b/drivers/staging/wfx/hif_tx_mib.c index ac534406144c..41f3090d29be 100644 --- a/drivers/staging/wfx/hif_tx_mib.c +++ b/drivers/staging/wfx/hif_tx_mib.c @@ -148,6 +148,7 @@ int hif_set_template_frame(struct wfx_vif *wvif, struct sk_buff *skb, { struct hif_mib_template_frame *arg; + WARN(skb->len > HIF_API_MAX_TEMPLATE_FRAME_SIZE, "frame is too big"); skb_push(skb, 4); arg = (struct hif_mib_template_frame *)skb->data; skb_pull(skb, 4); @@ -155,7 +156,7 @@ int hif_set_template_frame(struct wfx_vif *wvif, struct sk_buff *skb, arg->frame_type = frame_type; arg->frame_length = cpu_to_le16(skb->len); return hif_write_mib(wvif->wdev, wvif->id, HIF_MIB_ID_TEMPLATE_FRAME, - arg, sizeof(*arg)); + arg, sizeof(*arg) + skb->len); } int hif_set_mfp(struct wfx_vif *wvif, bool capable, bool required) -- 2.25.1