]> www.infradead.org Git - users/hch/uuid.git/commitdiff
Staging: wlan-ng: off by one in prism2mgmt_scan_results()
authorDan Carpenter <dan.carpenter@oracle.com>
Wed, 18 Apr 2012 06:48:59 +0000 (09:48 +0300)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 18 Apr 2012 23:59:03 +0000 (16:59 -0700)
Count is used to cap "req->bssindex.data" which is used as an offset
into the hw->scanresults->info.hscanresult.result[] array.  The array
has only HFA384x_SCANRESULT_MAX (31) elements so the 32 is off by one.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/staging/wlan-ng/prism2mgmt.c

index c3bb05dd744fd5a0a81a811d67fa3b4e2d9fdfa7..4efa9bc0fcf0d1750152de5342d565144a2427ce 100644 (file)
@@ -380,8 +380,8 @@ int prism2mgmt_scan_results(wlandevice_t *wlandev, void *msgp)
        }
 
        count = (hw->scanresults->framelen - 3) / 32;
-       if (count > 32)
-               count = 32;
+       if (count > HFA384x_SCANRESULT_MAX)
+               count = HFA384x_SCANRESULT_MAX;
 
        if (req->bssindex.data >= count) {
                pr_debug("requested index (%d) out of range (%d)\n",