]> git.ipfire.org Git - people/arne_f/kernel.git/commitdiff
projects / people / arne_f / kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 724ad42)
iwl: off by one bug
authorDan Carpenter <error27@gmail.com>
Sun, 3 Jan 2010 09:19:35 +0000 (11:19 +0200)
committerGreg Kroah-Hartman <gregkh@suse.de>
Mon, 18 Jan 2010 18:19:46 +0000 (10:19 -0800)
commit 8a9ac160e844c7ce8074f6aa531feefb4acdee7c upstream.

tid is used as an array offset.
agg = &priv->stations[sta_id].tid[tid].agg;
iwl4965_tx_status_reply_tx(priv, agg, tx_resp, txq_id, index);

It should be limitted to MAX_TID_COUNT - 1;
        struct iwl_tid_data tid[MAX_TID_COUNT];

regards,
dan carpenter

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
drivers/net/wireless/iwlwifi/iwl-4965.c patch | blob | blame | history

diff --git a/drivers/net/wireless/iwlwifi/iwl-4965.c b/drivers/net/wireless/iwlwifi/iwl-4965.c
index f4e2e84e12965e4f48cbf4f243e1a0abff47f8af..99331edd9d7523033811210586a513e999956cb7 100644 (file)
--- a/drivers/net/wireless/iwlwifi/iwl-4965.c
+++ b/drivers/net/wireless/iwlwifi/iwl-4965.c
@@ -2087,7 +2087,7 @@ static void iwl4965_rx_reply_tx(struct iwl_priv *priv,
        struct ieee80211_tx_info *info;
        struct iwl4965_tx_resp *tx_resp = (void *)&pkt->u.raw[0];
        u32  status = le32_to_cpu(tx_resp->u.status);
-       int tid = MAX_TID_COUNT;
+       int tid = MAX_TID_COUNT - 1;
        int sta_id;
        int freed;
        u8 *qc = NULL;
Arne's tree of linux kernel.