ath6kl: Array index out of bounds check

The variable assigned_ep can be assigned value of -1 and is never
checked if it equals -1. So the endpoint array can have -1  as the index
value and can be out of bounds.

The value of assigned_ep is checked for -1 and is ensured that the
endpoint array doesn't go out of bounds.

Signed-off-by: Pandiyarajan Pitchaimuthu <c_ppitch@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>

diff --git a/drivers/net/wireless/ath/ath6kl/htc_mbox.c b/drivers/net/wireless/ath/ath6kl/htc_mbox.c
index cd0e1ba..ceaf921 100644 (file)
--- a/drivers/net/wireless/ath/ath6kl/htc_mbox.c
+++ b/drivers/net/wireless/ath/ath6kl/htc_mbox.c
@@ -2492,7 +2492,8 @@ static int ath6kl_htc_mbox_conn_service(struct htc_target *target,
                max_msg_sz = le16_to_cpu(resp_msg->max_msg_sz);
        }
 
-       if (assigned_ep >= ENDPOINT_MAX || !max_msg_sz) {
+       if (WARN_ON_ONCE(assigned_ep == ENDPOINT_UNUSED ||
+                        assigned_ep >= ENDPOINT_MAX || !max_msg_sz)) {
                status = -ENOMEM;
                goto fail_tx;
        }