commit 84c4069232a671b3739387949d5cb588dacbd24a
author Ben Cahill <ben.m.cahill@intel.com> Fri Nov 06 14:52:57 2009 -0800
committer John W. Linville <linville@tuxdriver.com> Wed Nov 11 15:23:45 2009 -0500
tree 47f0bf17d5ea2e1386b26915b348fc0e1f806e3c
parent 6762f07fd55ff5e588aa5f0a1b70efe8e268a2e8

iwlwifi: Limit size of Event Log dump

If device provides bad values for Event Log parameters (due to being asleep
or SRAM corruption, etc.), the size can be very, very large (e.g. 0xa5a5a5a5),
which can flood system log.

Sanity-check capacity and next_entry values and limit to reasonable size dump.

Signed-off-by: Ben Cahill <ben.m.cahill@intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

drivers/net/wireless/iwlwifi/iwl-agn.c

diff --git a/drivers/net/wireless/iwlwifi/iwl-agn.c b/drivers/net/wireless/iwlwifi/iwl-agn.c
index ad8a348..9c40742 100644
--- a/drivers/net/wireless/iwlwifi/iwl-agn.c
+++ b/drivers/net/wireless/iwlwifi/iwl-agn.c
@@ -1702,6 +1702,9 @@
 	}
 }
 
+/* For sanity check only.  Actual size is determined by uCode, typ. 512 */
+#define MAX_EVENT_LOG_SIZE (512)
+
 void iwl_dump_nic_event_log(struct iwl_priv *priv)
 {
 	u32 base;       /* SRAM byte address of event log header */
@@ -1727,6 +1730,18 @@
 	num_wraps = iwl_read_targ_mem(priv, base + (2 * sizeof(u32)));
 	next_entry = iwl_read_targ_mem(priv, base + (3 * sizeof(u32)));
 
+	if (capacity > MAX_EVENT_LOG_SIZE) {
+		IWL_ERR(priv, "Log capacity %d is bogus, limit to %d entries\n",
+			capacity, MAX_EVENT_LOG_SIZE);
+		capacity = MAX_EVENT_LOG_SIZE;
+	}
+
+	if (next_entry > MAX_EVENT_LOG_SIZE) {
+		IWL_ERR(priv, "Log write index %d is bogus, limit to %d\n",
+			next_entry, MAX_EVENT_LOG_SIZE);
+		next_entry = MAX_EVENT_LOG_SIZE;
+	}
+
 	size = num_wraps ? capacity : next_entry;
 
 	/* bail out if nothing in log */