On Wed, 2011-09-21 at 00:05 -0700, Dan Carpenter wrote:
> Hi Arik,
>
> Smatch complains about c47e8229fa56 "wl12xx: support up to 8 stations
> in AP-mode"
>
> drivers/net/wireless/wl12xx/main.c +832 wl12xx_irq_update_links_status(22)
> error: buffer overflow 'status->tx_lnk_free_pkts' 8 <= 10
>
> 828 for (hlid = WL1271_AP_STA_HLID_START; hlid < AP_MAX_LINKS; hlid++) {
> ^^^^^^^^^^^^
> We increased this to 11.
>
> 829 if (!wl1271_is_active_sta(wl, hlid))
> 830 continue;
> 831
> 832 cnt = status->tx_lnk_free_pkts[hlid] -
> ^^^^^^^^^^^^^^^^^^^^^^
>
> But the ->tx_lnk_free_pkts[] array still only has 8 elements so we're
> reading past the end of the array.
>
> 833 wl->links[hlid].prev_freed_pkts;
> 834
> 835 wl->links[hlid].prev_freed_pkts =
> 836 status->tx_lnk_free_pkts[hlid];
> 837 wl->links[hlid].allocated_pkts -= cnt;
> 838
> 839 wl12xx_irq_ps_regulate_link(wl, hlid,
> 840 wl->links[hlid].allocated_pkts);
> 841 }
Good catch, Dan! Thanks for checking this.
I checked our new firmware API and it seems that the wl12xx_fw_status
structure has changed. Now, WL12XX_MAX_LINKS, should be 12 instead of
8.
Arik, can you verify this and send a fix patch?
--
Cheers,
Luca.
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
