Merge tag 'memcpy-v5.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees...

[platform/kernel/linux-starfive.git] / drivers / net / wireless / ath / ath9k / htc_hst.c

diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index d2e062e..994ec48 100644 (file)
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -30,6 +30,7 @@ static int htc_issue_send(struct htc_target *target, struct sk_buff* skb,
        hdr->endpoint_id = epid;
        hdr->flags = flags;
        hdr->payload_len = cpu_to_be16(len);
+       memset(hdr->control, 0, sizeof(hdr->control));
 
        status = target->hif->send(target->hif_dev, endpoint->ul_pipeid, skb);
 
@@ -272,6 +273,10 @@ int htc_connect_service(struct htc_target *target,
        conn_msg->dl_pipeid = endpoint->dl_pipeid;
        conn_msg->ul_pipeid = endpoint->ul_pipeid;
 
+       /* To prevent infoleak */
+       conn_msg->svc_meta_len = 0;
+       conn_msg->pad = 0;
+
        ret = htc_issue_send(target, skb, skb->len, 0, ENDPOINT0);
        if (ret)
                goto err;
@@ -339,6 +344,8 @@ void ath9k_htc_txcompletion_cb(struct htc_target *htc_handle,
 
        if (skb) {
                htc_hdr = (struct htc_frame_hdr *) skb->data;
+               if (htc_hdr->endpoint_id >= ARRAY_SIZE(htc_handle->endpoint))
+                       goto ret;
                endpoint = &htc_handle->endpoint[htc_hdr->endpoint_id];
                skb_pull(skb, sizeof(struct htc_frame_hdr));