From: Shahar S Matityahu <shahar.s.matityahu@intel.com>
Date: Thu, 17 Jan 2019 07:57:27 +0000 (+0200)
Subject: iwlwifi: dbg: buffer overflow in non_collect_ts_start array
X-Git-Tag: v5.4-rc1~1543^2~131^2~59^2~4
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=21587a9b0a48bf8922e875b54edcc5a8a9a8b19f;p=platform%2Fkernel%2Flinux-rpi.git

iwlwifi: dbg: buffer overflow in non_collect_ts_start array

The size of the buffer is IWL_FW_TRIGGER_ID_NUM - 1 which is equal to
IWL_FW_TRIGGER_ID_HOST_CHANNEL_SWITCH_COMPLETE so if the driver receives
this trigger, it will cause a buffer overflow.

Solve this by increasing the buffer size by 1.

Signed-off-by: Shahar S Matityahu <shahar.s.matityahu@intel.com>
Fixes: fe1b7d6c2888 ("iwlwifi: add support for triggering ini triggers")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
---

diff --git a/drivers/net/wireless/intel/iwlwifi/fw/runtime.h b/drivers/net/wireless/intel/iwlwifi/fw/runtime.h
index 41c4a3e..6e84399 100644
--- a/drivers/net/wireless/intel/iwlwifi/fw/runtime.h
+++ b/drivers/net/wireless/intel/iwlwifi/fw/runtime.h
@@ -138,7 +138,7 @@ struct iwl_fw_runtime {
 		u8 conf;
 
 		/* ts of the beginning of a non-collect fw dbg data period */
-		unsigned long non_collect_ts_start[IWL_FW_TRIGGER_ID_NUM - 1];
+		unsigned long non_collect_ts_start[IWL_FW_TRIGGER_ID_NUM];
 		u32 *d3_debug_data;
 		struct iwl_fw_ini_region_cfg *active_regs[IWL_FW_INI_MAX_REGION_ID];
 		struct iwl_fw_ini_active_triggers active_trigs[IWL_FW_TRIGGER_ID_NUM];