rt2x00: fix memory corruption in rf cache, add a sanity check

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Change rt2x00_rf_read() and rt2x00_rf_write() to subtract 1 from the rf
register number. This is needed because the rf registers are enumerated
starting with one. The size of the rf register cache is just enough to
hold all registers, so writing to the highest register was corrupting
memory. Add a check to make sure that the rf register number is valid.

Signed-off-by: Pavel Roskin <proski@gnu.org>
Cc: stable@kernel.org
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

authored by

Pavel Roskin and committed by

John W. Linville 16 years ago 6b26dead 416fbdff

+4 -2

1 changed file

expand all

drivers

net

wireless

rt2x00

rt2x00.h

+4 -2

drivers/net/wireless/rt2x00/rt2x00.h

··· 849 849 static inline void rt2x00_rf_read(struct rt2x00_dev *rt2x00dev, 850 850 const unsigned int word, u32 *data) 851 851 { 852 - *data = rt2x00dev->rf[word]; 852 + BUG_ON(word < 1 || word > rt2x00dev->ops->rf_size / sizeof(u32)); 853 + *data = rt2x00dev->rf[word - 1]; 853 854 } 854 855 855 856 static inline void rt2x00_rf_write(struct rt2x00_dev *rt2x00dev, 856 857 const unsigned int word, u32 data) 857 858 { 858 - rt2x00dev->rf[word] = data; 859 + BUG_ON(word < 1 || word > rt2x00dev->ops->rf_size / sizeof(u32)); 860 + rt2x00dev->rf[word - 1] = data; 859 861 } 860 862 861 863 /*