Patchwork iwlwifi: range checking issue

login
register
mail settings
Submitter Dan Carpenter
Date March 28, 2010, 11:55 a.m.
Message ID <20100328115500.GX5069@bicker>
Download mbox | patch
Permalink /patch/48778/
State Not Applicable
Delegated to: David Miller
Headers show

Comments

Dan Carpenter - March 28, 2010, 11:55 a.m.
IWL_RATE_COUNT is 13 and IWL_RATE_COUNT_LEGACY is 12.

IWL_RATE_COUNT_LEGACY is the right one here because iwl3945_rates
doesn't support 60M and also that's how "rates" is defined in
iwlcore_init_geos() from drivers/net/wireless/iwlwifi/iwl-core.c.

        rates = kzalloc((sizeof(struct ieee80211_rate) * IWL_RATE_COUNT_LEGACY),
                        GFP_KERNEL);

Signed-off-by: Dan Carpenter <error27@gmail.com>

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Zhu Yi - March 29, 2010, 2:01 a.m.
On Sun, 2010-03-28 at 19:55 +0800, Dan Carpenter wrote:
> IWL_RATE_COUNT is 13 and IWL_RATE_COUNT_LEGACY is 12.
> 
> IWL_RATE_COUNT_LEGACY is the right one here because iwl3945_rates
> doesn't support 60M and also that's how "rates" is defined in
> iwlcore_init_geos() from drivers/net/wireless/iwlwifi/iwl-core.c.
> 
>         rates = kzalloc((sizeof(struct ieee80211_rate) * IWL_RATE_COUNT_LEGACY),
>                         GFP_KERNEL);
> 
> Signed-off-by: Dan Carpenter <error27@gmail.com>

Acked-by: Zhu Yi <yi.zhu@intel.com>

Thanks,
-yi

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
reinette chatre - March 29, 2010, 4:13 p.m.
On Sun, 2010-03-28 at 19:01 -0700, Zhu, Yi wrote:
> On Sun, 2010-03-28 at 19:55 +0800, Dan Carpenter wrote:
> > IWL_RATE_COUNT is 13 and IWL_RATE_COUNT_LEGACY is 12.
> > 
> > IWL_RATE_COUNT_LEGACY is the right one here because iwl3945_rates
> > doesn't support 60M and also that's how "rates" is defined in
> > iwlcore_init_geos() from drivers/net/wireless/iwlwifi/iwl-core.c.
> > 
> >         rates = kzalloc((sizeof(struct ieee80211_rate) * IWL_RATE_COUNT_LEGACY),
> >                         GFP_KERNEL);
> > 
> > Signed-off-by: Dan Carpenter <error27@gmail.com>
> 
> Acked-by: Zhu Yi <yi.zhu@intel.com>

Great catch. Since this is a fix for a buffer overflow ... could you
please pass it on to stable also?

Thank you

Reinette

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/drivers/net/wireless/iwlwifi/iwl3945-base.c b/drivers/net/wireless/iwlwifi/iwl3945-base.c
index 54daa38..7d3806a 100644
--- a/drivers/net/wireless/iwlwifi/iwl3945-base.c
+++ b/drivers/net/wireless/iwlwifi/iwl3945-base.c
@@ -1955,7 +1955,7 @@  static void iwl3945_init_hw_rates(struct iwl_priv *priv,
 {
 	int i;
 
-	for (i = 0; i < IWL_RATE_COUNT; i++) {
+	for (i = 0; i < IWL_RATE_COUNT_LEGACY; i++) {
 		rates[i].bitrate = iwl3945_rates[i].ieee * 5;
 		rates[i].hw_value = i; /* Rate scaling will work on indexes */
 		rates[i].hw_value_short = i;