From patchwork Sat Jul 25 21:34:31 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roel Kluin X-Patchwork-Id: 37366 Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n6PLWLF7031909 for ; Sat, 25 Jul 2009 21:32:21 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752282AbZGYVb5 (ORCPT ); Sat, 25 Jul 2009 17:31:57 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752572AbZGYVb5 (ORCPT ); Sat, 25 Jul 2009 17:31:57 -0400 Received: from mail-ew0-f226.google.com ([209.85.219.226]:62838 "EHLO mail-ew0-f226.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752262AbZGYVb4 (ORCPT ); Sat, 25 Jul 2009 17:31:56 -0400 Received: by ewy26 with SMTP id 26so2436577ewy.37 for ; Sat, 25 Jul 2009 14:31:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=NsRxHACHevnsNR4LWsposctjyQG5ALShEFV2nLA+CdI=; b=kEv6S/TWQ7Nb+bYrs3VLXPPaz0XDrEIJ7Bn/Y2jIqsGVJ9jMItO9b2RnXjqrGxgZsU qpDGhkQYiRKt4NMbNEROFH1vj25ula385rQEwsX7mSQt8VbKy1G/UmDq7TTazsPCoDOa 77ttD5TiVgfZPu/Pj+itrOnlnSNWtWPffYTFM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=LsP+G9n9xoS3lXT9lgpb5zOH7qry6JKbxhimlc0+BcvpB24YAohBxP5nYjsBGB0lsn 3ejxw3FLIGQhAmQLRF64Mfn1QT15s1G1za2sY/ssldYFQCJCEWJQmFC8ZpdUO8pcNLcy 5jPhf01WktnPFtxlE79ex7rov5kfppbIwu4io= Received: by 10.210.78.16 with SMTP id a16mr6134164ebb.73.1248557516423; Sat, 25 Jul 2009 14:31:56 -0700 (PDT) Received: from zoinx.mars (d133062.upc-d.chello.nl [213.46.133.62]) by mx.google.com with ESMTPS id 5sm2140841eyf.4.2009.07.25.14.31.55 (version=SSLv3 cipher=RC4-MD5); Sat, 25 Jul 2009 14:31:56 -0700 (PDT) Message-ID: <4A6B7A67.9070906@gmail.com> Date: Sat, 25 Jul 2009 23:34:31 +0200 From: Roel Kluin User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1b3pre) Gecko/20090513 Fedora/3.0-2.3.beta2.fc11 Thunderbird/3.0b2 MIME-Version: 1.0 To: yi.zhu@intel.com, linux-wireless@vger.kernel.org, ipw3945-devel@lists.sourceforge.net, Andrew Morton Subject: [PATCH] iwlwifi: Read outside array bounds Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org tid is bounded (above) by the size of default_tid_to_tx_fifo (17 elements), but the size of priv->stations[].tid[] is MAX_TID_COUNT (9) elements. Signed-off-by: Roel Kluin --- IWL_ERR(priv, "Start AGG when state is not IWL_AGG_OFF ! "); -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/net/wireless/iwlwifi/iwl-tx.c b/drivers/net/wireless/iwlwifi/iwl-tx.c index 85ae7a6..e9441c6 100644 --- a/drivers/net/wireless/iwlwifi/iwl-tx.c +++ b/drivers/net/wireless/iwlwifi/iwl-tx.c @@ -1170,6 +1170,8 @@ int iwl_tx_agg_start(struct iwl_priv *priv, const u8 *ra, u16 tid, u16 *ssn) IWL_ERR(priv, "Start AGG on invalid station "); return -ENXIO; } + if (unlikely(tid >= MAX_TID_COUNT)) + return -EINVAL; if (priv->stations[sta_id].tid[tid].agg.state != IWL_AGG_OFF) {