iwlwifi: dbg: buffer overflow in non_collect_ts_start array

The size of the buffer is IWL_FW_TRIGGER_ID_NUM - 1 which is equal to IWL_FW_TRIGGER_ID_HOST_CHANNEL_SWITCH_COMPLETE so if the driver receives this trigger, it will cause a buffer overflow. Solve this by increasing the buffer size by 1. Signed-off-by: Shahar S Matityahu <shahar.s.matityahu@intel.com> Fixes: fe1b7d6c2888 ("iwlwifi: add support for triggering ini triggers") Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
author: Shahar S Matityahu <shahar.s.matityahu@intel.com> 2019-01-17 10:57:27 +0300
committer: Luca Coelho <luciano.coelho@intel.com> 2019-02-14 12:29:51 +0300
commit: 21587a9b0a48bf8922e875b54edcc5a8a9a8b19f (patch)
tree: 8275c77d09b14998b0e92a28bde74e2a49d2cfb5 /drivers/net/wireless/intel
parent: a197e6d10ce26bdf4e7b8941321fb924b38ece02 (diff)
download: linux-21587a9b0a48bf8922e875b54edcc5a8a9a8b19f.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/net/wireless/intel/iwlwifi/fw/runtime.h b/drivers/net/wireless/intel/iwlwifi/fw/runtime.h
index 41c4a3e7ad82..6e843998d1c8 100644
--- a/drivers/net/wireless/intel/iwlwifi/fw/runtime.h
+++ b/drivers/net/wireless/intel/iwlwifi/fw/runtime.h
@@ -138,7 +138,7 @@ struct iwl_fw_runtime {
 		u8 conf;
 
 		/* ts of the beginning of a non-collect fw dbg data period */
-		unsigned long non_collect_ts_start[IWL_FW_TRIGGER_ID_NUM - 1];
+		unsigned long non_collect_ts_start[IWL_FW_TRIGGER_ID_NUM];
 		u32 *d3_debug_data;
 		struct iwl_fw_ini_region_cfg *active_regs[IWL_FW_INI_MAX_REGION_ID];
 		struct iwl_fw_ini_active_triggers active_trigs[IWL_FW_TRIGGER_ID_NUM];
author	Shahar S Matityahu <shahar.s.matityahu@intel.com>	2019-01-17 10:57:27 +0300
committer	Luca Coelho <luciano.coelho@intel.com>	2019-02-14 12:29:51 +0300
commit	21587a9b0a48bf8922e875b54edcc5a8a9a8b19f (patch)
tree	8275c77d09b14998b0e92a28bde74e2a49d2cfb5 /drivers/net/wireless/intel
parent	a197e6d10ce26bdf4e7b8941321fb924b38ece02 (diff)
download	linux-21587a9b0a48bf8922e875b54edcc5a8a9a8b19f.tar.xz