The commit "ath9k: stomp audio profiles on weak signal
strength" failed to take care of new stomp type while
programming concurrent tx priority. That leads to array
index out of bounds access.
drivers/net/wireless/ath/ath9k/btcoex.c:414
ath9k_hw_btcoex_set_concur_txprio()
error: buffer overflow 'stomp_txprio' 4 <= 4
Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: Rajkumar Manoharan <[email protected]>
---
drivers/net/wireless/ath/ath9k/mci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath9k/mci.c b/drivers/net/wireless/ath/ath9k/mci.c
index 706378e..5c02702 100644
--- a/drivers/net/wireless/ath/ath9k/mci.c
+++ b/drivers/net/wireless/ath/ath9k/mci.c
@@ -257,8 +257,9 @@ static void ath_mci_set_concur_txprio(struct ath_softc *sc)
{
struct ath_btcoex *btcoex = &sc->btcoex;
struct ath_mci_profile *mci = &btcoex->mci;
- u8 stomp_txprio[] = { 0, 0, 0, 0 }; /* all, low, none, low_ftp */
+ u8 stomp_txprio[ATH_BTCOEX_STOMP_MAX];
+ memset(stomp_txprio, 0, sizeof(stomp_txprio));
if (mci->num_mgmt) {
stomp_txprio[ATH_BTCOEX_STOMP_ALL] = ATH_MCI_INQUIRY_PRIO;
if (!mci->num_pan && !mci->num_other_acl)
--
1.8.0.1