iwlwifi: dbg: buffer overflow in non_collect_ts_start array

The size of the buffer is IWL_FW_TRIGGER_ID_NUM - 1 which is equal to
IWL_FW_TRIGGER_ID_HOST_CHANNEL_SWITCH_COMPLETE so if the driver receives
this trigger, it will cause a buffer overflow.

Solve this by increasing the buffer size by 1.

Signed-off-by: Shahar S Matityahu <shahar.s.matityahu@intel.com>
Fixes: fe1b7d6c2888 ("iwlwifi: add support for triggering ini triggers")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>

diff --git a/drivers/net/wireless/intel/iwlwifi/fw/runtime.h b/drivers/net/wireless/intel/iwlwifi/fw/runtime.h
index 41c4a3e..6e84399 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/fw/runtime.h
+++ b/drivers/net/wireless/intel/iwlwifi/fw/runtime.h
@@ -138,7 +138,7 @@ struct iwl_fw_runtime {
                u8 conf;
 
                /* ts of the beginning of a non-collect fw dbg data period */
-               unsigned long non_collect_ts_start[IWL_FW_TRIGGER_ID_NUM - 1];
+               unsigned long non_collect_ts_start[IWL_FW_TRIGGER_ID_NUM];
                u32 *d3_debug_data;
                struct iwl_fw_ini_region_cfg *active_regs[IWL_FW_INI_MAX_REGION_ID];
                struct iwl_fw_ini_active_triggers active_trigs[IWL_FW_TRIGGER_ID_NUM];