From patchwork Fri Aug  7 21:50:00 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Roel Kluin <roel.kluin@gmail.com>
X-Patchwork-Id: 40029
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n77LkSCK020129
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Fri, 7 Aug 2009 21:46:28 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754027AbZHGVqY (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Fri, 7 Aug 2009 17:46:24 -0400
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1753933AbZHGVqY
	(ORCPT <rfc822;linux-wireless-outgoing>);
	Fri, 7 Aug 2009 17:46:24 -0400
Received: from ey-out-2122.google.com ([74.125.78.26]:18292 "EHLO
	ey-out-2122.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753895AbZHGVqX (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Fri, 7 Aug 2009 17:46:23 -0400
Received: by ey-out-2122.google.com with SMTP id 9so588418eyd.37
	for <linux-wireless@vger.kernel.org>;
	Fri, 07 Aug 2009 14:46:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from
	:user-agent:mime-version:to:subject:content-type
	:content-transfer-encoding;
	bh=DBJtD5wtc8IaeMO162lW1eWMegRF6hAOxfNCLtrPSFs=;
	b=AVFkpyU49aTUvNgO3Xszbx8B4wVfneqcj9FQ5Zbq+VHk+id+Fi9/ujFc3glHhPskcF
	/jMAtVWuaCKoDcrGJq9o2BEDQ3Xf3G7CSN3cLBQt8wROs0Bz+eT4DkR+SsyhyjFMLjsD
	vSU7S9aOx+DIz3X1mK7snoq6XCR3iwGUTPydI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:user-agent:mime-version:to:subject
	:content-type:content-transfer-encoding;
	b=cNjrEM3dN90Susp4t2OnDkHV3Gd5y1+i9rW1OpGPZQVoy/VXgaxsHH99/ghugXZa6c
	CUGRHmKz7nzOzPrIMv9fFvaGTP3vxsX/8NlbCqtoSNp15wAMGlIzF4xcJIfojIvXjpWR
	JuRYWQU3wXX6JAHqxNvhruTUiNko1Ydnw41io=
Received: by 10.211.168.4 with SMTP id v4mr20396ebo.82.1249681583552;
	Fri, 07 Aug 2009 14:46:23 -0700 (PDT)
Received: from zoinx.mars (d133062.upc-d.chello.nl [213.46.133.62])
	by mx.google.com with ESMTPS id 5sm4244201eyh.6.2009.08.07.14.46.22
	(version=SSLv3 cipher=RC4-MD5);
	Fri, 07 Aug 2009 14:46:23 -0700 (PDT)
Message-ID: <4A7CA188.1070706@gmail.com>
Date: Fri, 07 Aug 2009 23:50:00 +0200
From: Roel Kluin <roel.kluin@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.1b3pre) Gecko/20090513 Fedora/3.0-2.3.beta2.fc11
	Thunderbird/3.0b2
MIME-Version: 1.0
To: Jouni Malinen <jmalinen@atheros.com>, linux-wireless@vger.kernel.org,
	ath9k-devel@venema.h4ckr.net, Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH] ath9k: Fix read buffer overflow
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

Prevent a read of powInfo[-1] in the first iteration.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
The last hunk I already sent in a previous patch.

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/net/wireless/ath/ath9k/eeprom.c b/drivers/net/wireless/ath/ath9k/eeprom.c
index a2fda70..ef4bf89 100644
--- a/drivers/net/wireless/ath/ath9k/eeprom.c
+++ b/drivers/net/wireless/ath/ath9k/eeprom.c
@@ -150,10 +150,10 @@ static void ath9k_hw_get_legacy_target_powers(struct ath_hw *ah,
 						       IS_CHAN_2GHZ(chan))) {
 				matchIndex = i;
 				break;
-			} else if ((freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
-						      IS_CHAN_2GHZ(chan))) &&
-				   (freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
-						      IS_CHAN_2GHZ(chan)))) {
+			} else if (freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
+						      IS_CHAN_2GHZ(chan)) && i > 0 &&
+				   freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
+						      IS_CHAN_2GHZ(chan))) {
 				lowIndex = i - 1;
 				break;
 			}
@@ -268,10 +268,10 @@ static void ath9k_hw_get_target_powers(struct ath_hw *ah,
 				matchIndex = i;
 				break;
 			} else
-				if ((freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
-						       IS_CHAN_2GHZ(chan))) &&
-				    (freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
-						       IS_CHAN_2GHZ(chan)))) {
+				if (freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
+						       IS_CHAN_2GHZ(chan)) && i > 0 &&
+				    freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
+						       IS_CHAN_2GHZ(chan))) {
 					lowIndex = i - 1;
 					break;
 				}
@@ -460,7 +460,7 @@ static int ath9k_hw_4k_check_eeprom(struct ath_hw *ah)
 		integer = swab32(eep->modalHeader.antCtrlCommon);
 		eep->modalHeader.antCtrlCommon = integer;
 
-		for (i = 0; i < AR5416_MAX_CHAINS; i++) {
+		for (i = 0; i < AR5416_EEP4K_MAX_CHAINS; i++) {
 			integer = swab32(eep->modalHeader.antCtrlChain[i]);
 			eep->modalHeader.antCtrlChain[i] = integer;
 		}
@@ -914,7 +914,7 @@ static void ath9k_hw_set_4k_power_per_rate_table(struct ath_hw *ah,
 			ctlMode, numCtlModes, isHt40CtlMode,
 			(pCtlMode[ctlMode] & EXT_ADDITIVE));
 
-		for (i = 0; (i < AR5416_NUM_CTLS) &&
+		for (i = 0; (i < AR5416_EEP4K_NUM_CTLS) &&
 				pEepData->ctlIndex[i]; i++) {
 			DPRINTF(ah->ah_sc, ATH_DBG_EEPROM,
 				"  LOOP-Ctlidx %d: cfgCtl 0x%2.2x "