Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

iwl: off by one bug

tid is used as an array offset.
	agg = &priv->stations[sta_id].tid[tid].agg;
	iwl4965_tx_status_reply_tx(priv, agg, tx_resp, txq_id, index);

It should be limitted to MAX_TID_COUNT - 1;
        struct iwl_tid_data tid[MAX_TID_COUNT];

regards,
dan carpenter

Signed-off-by: Dan Carpenter <error27@gmail.com>
CC: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Dan Carpenter 15 years ago
parent
90852f7aed
commit
8a9ac160e8
1 changed files with 1 additions and 1 deletions
Split View Show Diff Stats
  1. 1 1
      drivers/net/wireless/iwlwifi/iwl-4965.c

+ 1 - 1
drivers/net/wireless/iwlwifi/iwl-4965.c
View File 

@@ -1961,7 +1961,7 @@ static void iwl4965_rx_reply_tx(struct iwl_priv *priv,
 
 	struct ieee80211_tx_info *info;
 
 	struct iwl4965_tx_resp *tx_resp = (void *)&pkt->u.raw[0];
 
 	u32  status = le32_to_cpu(tx_resp->u.status);
 
-	int tid = MAX_TID_COUNT;
 
+	int tid = MAX_TID_COUNT - 1;
 
 	int sta_id;
 
 	int freed;
 
 	u8 *qc = NULL;