ar9170: fix read & write outside array bounds

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

queue == __AR9170_NUM_TXQ would cause a bug on the next line.

found by Smatch ( http://repo.or.cz/w/smatch.git ).

Cc: stable@kernel.org
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

authored by

Dan Carpenter and committed by

John W. Linville 16 years ago e9d126cd 363ec561

+3 -2

1 changed file

expand all

drivers

net

wireless

ath

ar9170

main.c

+3 -2

drivers/net/wireless/ath/ar9170/main.c

··· 1967 1967 int ret; 1968 1968 1969 1969 mutex_lock(&ar->mutex); 1970 - if ((param) && !(queue > __AR9170_NUM_TXQ)) { 1970 + if (queue < __AR9170_NUM_TXQ) { 1971 1971 memcpy(&ar->edcf[ar9170_qos_hwmap[queue]], 1972 1972 param, sizeof(*param)); 1973 1973 1974 1974 ret = ar9170_set_qos(ar); 1975 - } else 1975 + } else { 1976 1976 ret = -EINVAL; 1977 + } 1977 1978 1978 1979 mutex_unlock(&ar->mutex); 1979 1980 return ret;