k2_fw_usb_api: prevent buffer overflow.

[open-ath9k-htc-firmware.git] / target_firmware / magpie_fw_dev / target / hif / k2_fw_usb_api.c

diff --git a/target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c b/target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c
index b549108c145d496be4808beff89b7031fd5a9012..0be8a8744ed0f89d5c11cd9085e33b7eea17efa8 100755 (executable)
--- a/target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c
+++ b/target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c
@@ -418,6 +418,10 @@ void vUsb_Reg_Out_patch(void)
 
     // get the size of this transcation
     usbfifolen = USB_BYTE_REG_READ(ZM_EP4_BYTE_COUNT_LOW_OFFSET);
+    if (usbfifolen > 0x40) {
+        A_PRINTF("EP4 FIFO Bug? Buffer is too big: %x\n", usbfifolen);
+        goto ERR;
+    }
 
     // check is command is new
     if( cmd_is_new ){
@@ -448,6 +452,11 @@ void vUsb_Reg_Out_patch(void)
     
     // accumulate the size
     cmdLen += usbfifolen;
+    if (cmdLen > buf->desc_list->buf_size) {
+        A_PRINTF("Data length on EP4 FIFO is bigger as allocated buffer data!"
+                 " Drop it!\n");
+        goto ERR;
+    }
     
     // round it to alignment
     if(usbfifolen % 4)