提交 af31cb5a 编写于 作者: V Vladimir Kondratiev 提交者: John W. Linville

wil6210: fix buffer overflow in wil_txdesc_debugfs_show()

Wrong index comparison logic, found by smatch:

drivers/net/wireless/ath/wil6210/debugfs.c:402 wil_txdesc_debugfs_show() warn: buffer overflow 'wil->vring_tx' 24 <= 24
Signed-off-by: NVladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
上级 7661e975
...@@ -26,8 +26,7 @@ ...@@ -26,8 +26,7 @@
/* Nasty hack. Better have per device instances */ /* Nasty hack. Better have per device instances */
static u32 mem_addr; static u32 mem_addr;
static u32 dbg_txdesc_index; static u32 dbg_txdesc_index;
static u32 dbg_vring_index; /* 25 for Rx, 0..24 for Tx */ static u32 dbg_vring_index; /* 24+ for Rx, 0..23 for Tx */
#define WIL_DBG_VRING_INDEX_RX (WIL6210_MAX_TX_RINGS + 1)
static void wil_print_vring(struct seq_file *s, struct wil6210_priv *wil, static void wil_print_vring(struct seq_file *s, struct wil6210_priv *wil,
const char *name, struct vring *vring, const char *name, struct vring *vring,
...@@ -404,13 +403,14 @@ static int wil_txdesc_debugfs_show(struct seq_file *s, void *data) ...@@ -404,13 +403,14 @@ static int wil_txdesc_debugfs_show(struct seq_file *s, void *data)
{ {
struct wil6210_priv *wil = s->private; struct wil6210_priv *wil = s->private;
struct vring *vring; struct vring *vring;
if (dbg_vring_index <= WIL6210_MAX_TX_RINGS) bool tx = (dbg_vring_index < WIL6210_MAX_TX_RINGS);
if (tx)
vring = &(wil->vring_tx[dbg_vring_index]); vring = &(wil->vring_tx[dbg_vring_index]);
else else
vring = &wil->vring_rx; vring = &wil->vring_rx;
if (!vring->va) { if (!vring->va) {
if (dbg_vring_index <= WIL6210_MAX_TX_RINGS) if (tx)
seq_printf(s, "No Tx[%2d] VRING\n", dbg_vring_index); seq_printf(s, "No Tx[%2d] VRING\n", dbg_vring_index);
else else
seq_puts(s, "No Rx VRING\n"); seq_puts(s, "No Rx VRING\n");
...@@ -426,7 +426,7 @@ static int wil_txdesc_debugfs_show(struct seq_file *s, void *data) ...@@ -426,7 +426,7 @@ static int wil_txdesc_debugfs_show(struct seq_file *s, void *data)
volatile u32 *u = (volatile u32 *)d; volatile u32 *u = (volatile u32 *)d;
struct sk_buff *skb = vring->ctx[dbg_txdesc_index].skb; struct sk_buff *skb = vring->ctx[dbg_txdesc_index].skb;
if (dbg_vring_index <= WIL6210_MAX_TX_RINGS) if (tx)
seq_printf(s, "Tx[%2d][%3d] = {\n", dbg_vring_index, seq_printf(s, "Tx[%2d][%3d] = {\n", dbg_vring_index,
dbg_txdesc_index); dbg_txdesc_index);
else else
...@@ -461,7 +461,7 @@ static int wil_txdesc_debugfs_show(struct seq_file *s, void *data) ...@@ -461,7 +461,7 @@ static int wil_txdesc_debugfs_show(struct seq_file *s, void *data)
} }
seq_printf(s, "}\n"); seq_printf(s, "}\n");
} else { } else {
if (dbg_vring_index <= WIL6210_MAX_TX_RINGS) if (tx)
seq_printf(s, "[%2d] TxDesc index (%d) >= size (%d)\n", seq_printf(s, "[%2d] TxDesc index (%d) >= size (%d)\n",
dbg_vring_index, dbg_txdesc_index, dbg_vring_index, dbg_txdesc_index,
vring->size); vring->size);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册