iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop
authorColin Ian King <colin.king@canonical.com>
Sun, 26 Jan 2020 00:09:54 +0000 (00:09 +0000)
committerKalle Valo <kvalo@codeaurora.org>
Sun, 26 Jan 2020 15:51:47 +0000 (17:51 +0200)
The loop counter addr is a u16 where as the upper limit of the loop
is an int. In the unlikely event that the il->cfg->eeprom_size is
greater than 64K then we end up with an infinite loop since addr will
wrap around an never reach upper loop limit. Fix this by making addr
an int.

Addresses-Coverity: ("Infinite loop")
Fixes: be663ab67077 ("iwlwifi: split the drivers for agn and legacy devices 3945/4965")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
drivers/net/wireless/intel/iwlegacy/common.c

index d966b29b45ee7716499edae1ff171cd77176604b..348c17ce72f5cd57b66fb5ae161b2381b3585bf3 100644 (file)
@@ -699,7 +699,7 @@ il_eeprom_init(struct il_priv *il)
        u32 gp = _il_rd(il, CSR_EEPROM_GP);
        int sz;
        int ret;
-       u16 addr;
+       int addr;
 
        /* allocate eeprom */
        sz = il->cfg->eeprom_size;