We should not get an hlid value bigger than WL12XX_MAX_LINKS from
wl1271_rx_handle_data(). We have a WARN_ON in case it happens. But
despite the warning, we would still go ahead and write the hlid bit
into active_hlids (a stack variable). This would cause us to
overwrite other data in the stack.
To avoid this problem, we now skip the write when issuing the warning,
so at least we don't corrupt data.
Signed-off-by: Luciano Coelho <coelho@xxxxxx>
---
drivers/net/wireless/wl12xx/rx.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/wl12xx/rx.c b/drivers/net/wireless/wl12xx/rx.c
index 8c277c0..4fbd2a7 100644
--- a/drivers/net/wireless/wl12xx/rx.c
+++ b/drivers/net/wireless/wl12xx/rx.c
@@ -258,8 +258,12 @@ void wl12xx_rx(struct wl1271 *wl, struct wl12xx_fw_status *status)
wl->aggr_buf + pkt_offset,
pkt_length, unaligned,
&hlid) == 1) {
- WARN_ON(hlid >= WL12XX_MAX_LINKS);
- __set_bit(hlid, active_hlids);
+ if (hlid < WL12XX_MAX_LINKS)
+ __set_bit(hlid, active_hlids);
+ else
+ WARN(1,
+ "hlid exceeded WL12XX_MAX_LINKS "
+ "(%d)\n", hlid);
}
wl->rx_counter++;
--
1.7.4.1
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
