[PATCH] ipw2200: fix error log offset calculation

This fixes a slab corruption issue in the ipw2200 driver: it essentially multiplied the error log number _twice_ by the size of the error element entry (once explicitly in the code, and once implicitly as part of the regular pointer arithmetic). Cc: Henrik Brix Andersen <brix@gentoo.org> Cc: Bernard Blackham <bernard@blackham.com.au> Cc: Zilvinas Valinskas <zilvinas@gemtek.lt> Cc: Pekka Enberg <penberg@cs.helsinki.fi> Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org> --

[PATCH] ipw2200: fix error log offset calculation
This fixes a slab corruption issue in the ipw2200 driver: it essentially multiplied the error log number _twice_ by the size of the error element entry (once explicitly in the code, and once implicitly as part of the regular pointer arithmetic). Cc: Henrik Brix Andersen <brix@gentoo.org> Cc: Bernard Blackham <bernard@blackham.com.au> Cc: Zilvinas Valinskas <zilvinas@gemtek.lt> Cc: Pekka Enberg <penberg@cs.helsinki.fi> Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org> --
3b26b110 · Zhu Yi · Linus Torvalds · efb3442c · 3b26b110
Commit 3b26b110 authored Nov 17, 2005 by Zhu Yi Committed by Linus Torvalds Nov 17, 2005
Show whitespace changes
Inline Side-by-side

Showing with 1 addition and 2 deletions

drivers/net/wireless/ipw2200.c drivers/net/wireless/ipw2200.c +1 -2

No files found.
--- a/drivers/net/wireless/ipw2200.c
+++ b/drivers/net/wireless/ipw2200.c
@@ -1110,8 +1110,7 @@ static struct ipw_fw_error *ipw_alloc_error_log(struct ipw_priv *priv)
 	error->elem_len = elem_len;
 	error->log_len = log_len;
 	error->elem = (struct ipw_error_elem *)error->payload;
-	error->log = (struct ipw_event *)(error->elem +
+	error->log = (struct ipw_event *)(error->elem + elem_len);
-					  (sizeof(*error->elem) * elem_len));
 	ipw_capture_event_log(priv, log_len, error->log);