Commit 8a9ac160 authored by Dan Carpenter's avatar Dan Carpenter Committed by John W. Linville

iwl: off by one bug

tid is used as an array offset.
	agg = &priv->stations[sta_id].tid[tid].agg;
	iwl4965_tx_status_reply_tx(priv, agg, tx_resp, txq_id, index);

It should be limitted to MAX_TID_COUNT - 1;
        struct iwl_tid_data tid[MAX_TID_COUNT];

regards,
dan carpenter
Signed-off-by: default avatarDan Carpenter <error27@gmail.com>
CC: stable@kernel.org
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 90852f7a
...@@ -1961,7 +1961,7 @@ static void iwl4965_rx_reply_tx(struct iwl_priv *priv, ...@@ -1961,7 +1961,7 @@ static void iwl4965_rx_reply_tx(struct iwl_priv *priv,
struct ieee80211_tx_info *info; struct ieee80211_tx_info *info;
struct iwl4965_tx_resp *tx_resp = (void *)&pkt->u.raw[0]; struct iwl4965_tx_resp *tx_resp = (void *)&pkt->u.raw[0];
u32 status = le32_to_cpu(tx_resp->u.status); u32 status = le32_to_cpu(tx_resp->u.status);
int tid = MAX_TID_COUNT; int tid = MAX_TID_COUNT - 1;
int sta_id; int sta_id;
int freed; int freed;
u8 *qc = NULL; u8 *qc = NULL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment