X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=target_firmware%2Fmagpie_fw_dev%2Ftarget%2Fhif%2Fk2_fw_usb_api.c;h=0be8a8744ed0f89d5c11cd9085e33b7eea17efa8;hb=e3e96797ec020bba955ae59e173044987e5d4806;hp=b549108c145d496be4808beff89b7031fd5a9012;hpb=4fcff38e30f342187b26ad29bc30c74f2b4810ed;p=open-ath9k-htc-firmware.git

diff --git a/target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c b/target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c
index b549108..0be8a87 100755
--- a/target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c
+++ b/target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c
@@ -418,6 +418,10 @@ void vUsb_Reg_Out_patch(void)
 
     // get the size of this transcation
     usbfifolen = USB_BYTE_REG_READ(ZM_EP4_BYTE_COUNT_LOW_OFFSET);
+    if (usbfifolen > 0x40) {
+        A_PRINTF("EP4 FIFO Bug? Buffer is too big: %x\n", usbfifolen);
+        goto ERR;
+    }
 
     // check is command is new
     if( cmd_is_new ){
@@ -448,6 +452,11 @@ void vUsb_Reg_Out_patch(void)
     
     // accumulate the size
     cmdLen += usbfifolen;
+    if (cmdLen > buf->desc_list->buf_size) {
+        A_PRINTF("Data length on EP4 FIFO is bigger as allocated buffer data!"
+                 " Drop it!\n");
+        goto ERR;
+    }
     
     // round it to alignment
     if(usbfifolen % 4)