wl12xx: don't write out of bounds when hlid > WL12XX_MAX_LINKS

We should not get an hlid value bigger than WL12XX_MAX_LINKS from wl1271_rx_handle_data(). We have a WARN_ON in case it happens. But despite the warning, we would still go ahead and write the hlid bit into active_hlids (a stack variable). This would cause us to overwrite other data in the stack. To avoid this problem, we now skip the write when issuing the warning, so at least we don't corrupt data. Signed-off-by: Luciano Coelho <coelho@ti.com>
git-mirror · Dec 15, 2011 · f414218 · f414218
1 parent 3f17649
commit f414218
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/drivers/net/wireless/wl12xx/rx.c b/drivers/net/wireless/wl12xx/rx.c
@@ -258,8 +258,12 @@ void wl12xx_rx(struct wl1271 *wl, struct wl12xx_fw_status *status)
 						  wl->aggr_buf + pkt_offset,
 						  pkt_length, unaligned,
 						  &hlid) == 1) {
-				WARN_ON(hlid >= WL12XX_MAX_LINKS);
-				__set_bit(hlid, active_hlids);
+				if (hlid < WL12XX_MAX_LINKS)
+					__set_bit(hlid, active_hlids);
+				else
+					WARN(1,
+					     "hlid exceeded WL12XX_MAX_LINKS "
+					     "(%d)\n", hlid);
 			}
 
 			wl->rx_counter++;