From: Johannes Berg <johannes.berg@xxxxxxxxx>
When intersecting rules, we count first to know how many
rules need to be allocated, and then do the intersection
into the allocated array. However, the code doing this
writes past the end of the array because it attempts to
do all intersections. Make it stop when the right number
of rules has been reached.
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
---
net/wireless/reg.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index b6c7ea6..4197359 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -648,9 +648,9 @@ static struct ieee80211_regdomain *regdom_intersect(
if (!rd)
return NULL;
- for (x = 0; x < rd1->n_reg_rules; x++) {
+ for (x = 0; x < rd1->n_reg_rules && rule_idx < num_rules; x++) {
rule1 = &rd1->reg_rules[x];
- for (y = 0; y < rd2->n_reg_rules; y++) {
+ for (y = 0; y < rd2->n_reg_rules && rule_idx < num_rules; y++) {
rule2 = &rd2->reg_rules[y];
/*
* This time around instead of using the stack lets
--
1.8.0
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
