Linux-Wireless Archive on lore.kernel.org
 help / color / Atom feed
From: Maya Erez <qca_merez@qca.qualcomm.com>
To: Kalle Valo <kvalo@codeaurora.org>
Cc: Dedy Lansky <qca_dlansky@qualcomm.com>,
	linux-wireless@vger.kernel.org, wil6210@qca.qualcomm.com,
	Maya Erez <qca_merez@qca.qualcomm.com>
Subject: [PATCH 10/11] wil6210: fix array out of bounds access in pmc
Date: Wed,  5 Apr 2017 14:58:13 +0300
Message-ID: <1491393494-11816-11-git-send-email-qca_merez@qca.qualcomm.com> (raw)
In-Reply-To: <1491393494-11816-1-git-send-email-qca_merez@qca.qualcomm.com>

From: Dedy Lansky <qca_dlansky@qca.qualcomm.com>

Array index 'i' is used before limits check.
Fix this by doing limits check first.

Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
---
 drivers/net/wireless/ath/wil6210/pmc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/ath/wil6210/pmc.c b/drivers/net/wireless/ath/wil6210/pmc.c
index b067fdf..2e301b6 100644
--- a/drivers/net/wireless/ath/wil6210/pmc.c
+++ b/drivers/net/wireless/ath/wil6210/pmc.c
@@ -200,7 +200,7 @@ void wil_pmc_alloc(struct wil6210_priv *wil,
 
 release_pmc_skbs:
 	wil_err(wil, "exit on error: Releasing skbs...\n");
-	for (i = 0; pmc->descriptors[i].va && i < num_descriptors; i++) {
+	for (i = 0; i < num_descriptors && pmc->descriptors[i].va; i++) {
 		dma_free_coherent(dev,
 				  descriptor_size,
 				  pmc->descriptors[i].va,
@@ -283,7 +283,7 @@ void wil_pmc_free(struct wil6210_priv *wil, int send_pmc_cmd)
 		int i;
 
 		for (i = 0;
-		     pmc->descriptors[i].va && i < pmc->num_descriptors; i++) {
+		     i < pmc->num_descriptors && pmc->descriptors[i].va; i++) {
 			dma_free_coherent(dev,
 					  pmc->descriptor_size,
 					  pmc->descriptors[i].va,
-- 
1.9.1

  parent reply index

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-04-05 11:58 [PATCH 00/11] wil6210 patches Maya Erez
2017-04-05 11:58 ` [PATCH 02/11] wil6210: restore power save state after internal FW reset Maya Erez
2017-04-05 11:58 ` [PATCH 03/11] wil6210: support 8KB RX buffers Maya Erez
2017-04-05 11:58 ` [PATCH 04/11] wil6210: align to latest auto generated wmi.h Maya Erez
2017-04-05 11:58 ` [PATCH 05/11] wil6210: fix protection against connections during reset Maya Erez
2017-04-05 11:58 ` [PATCH 06/11] wil6210: protect against sporadic interrupt during suspend flow Maya Erez
2017-04-05 11:58 ` [PATCH 07/11] wil6210: fix check for sparrow D0 FW file Maya Erez
2017-04-05 11:58 ` [PATCH 08/11] wil6210: fix memory access violation in wil_memcpy_from/toio_32 Maya Erez
2017-04-05 11:58 ` [PATCH 09/11] wil6210: remove HALP voting in debugfs ioblob Maya Erez
2017-04-05 11:58 ` Maya Erez [this message]
2017-04-05 11:58 ` [PATCH 11/11] wil6210: prevent access to 11AD device if resume fails Maya Erez
2017-04-05 11:58 [PATCH 01/11] wil6210: fix sequence for scan-abort during reset Maya Erez
2017-04-13 12:47 ` [01/11] " Kalle Valo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1491393494-11816-11-git-send-email-qca_merez@qca.qualcomm.com \
    --to=qca_merez@qca.qualcomm.com \
    --cc=kvalo@codeaurora.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=qca_dlansky@qualcomm.com \
    --cc=wil6210@qca.qualcomm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Wireless Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-wireless/0 linux-wireless/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-wireless linux-wireless/ https://lore.kernel.org/linux-wireless \
		linux-wireless@vger.kernel.org
	public-inbox-index linux-wireless

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-wireless


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git