From 0b0c3e3c7adc7b4b7805e4927c4dc5e9a1fbcff0 Mon Sep 17 00:00:00 2001
From: Yu Tian <yutian@codeaurora.org>
Date: Fri, 3 Jul 2020 11:27:20 +0800
Subject: [PATCH] qcacmn: fix index overflow when tso seg large

In some cases, TSO segment may larger than 255.
If use uint8 as the loop index, tx logic will
overflow and sending the last segment repeatly,
then lead to buffer double free. Change index
variable to uint32

CRs-Fixed: 2722918

Change-Id: I156a5d8b8a3895e4f7bfc53cf5561f51ca8b06ca
---
 dp/wifi3.0/dp_tx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dp/wifi3.0/dp_tx.c b/dp/wifi3.0/dp_tx.c
index 085c4886f5..6dce79aba8 100644
--- a/dp/wifi3.0/dp_tx.c
+++ b/dp/wifi3.0/dp_tx.c
@@ -1790,7 +1790,7 @@ noinline
 qdf_nbuf_t dp_tx_send_msdu_multiple(struct dp_vdev *vdev, qdf_nbuf_t nbuf,
 				    struct dp_tx_msdu_info_s *msdu_info)
 {
-	uint8_t i;
+	uint32_t i;
 	struct dp_pdev *pdev = vdev->pdev;
 	struct dp_soc *soc = pdev->soc;
 	struct dp_tx_desc_s *tx_desc;