On Thu, Dec 6, 2012 at 8:47 AM, Johannes Berg <johannes@xxxxxxxxxxxxxxxx> wrote: > From: Johannes Berg <johannes.berg@xxxxxxxxx> > > When intersecting rules, we count first to know how many > rules need to be allocated, and then do the intersection > into the allocated array. However, the code doing this > writes past the end of the array because it attempts to > do all intersections. Make it stop when the right number > of rules has been reached. > > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx> Acked-by: Luis R. Rodriguez <mcgrof@xxxxxxxxxxxxxxxx> A comment below though. > --- > net/wireless/reg.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/net/wireless/reg.c b/net/wireless/reg.c > index b6c7ea6..4197359 100644 > --- a/net/wireless/reg.c > +++ b/net/wireless/reg.c > @@ -648,9 +648,9 @@ static struct ieee80211_regdomain *regdom_intersect( > if (!rd) > return NULL; > > - for (x = 0; x < rd1->n_reg_rules; x++) { > + for (x = 0; x < rd1->n_reg_rules && rule_idx < num_rules; x++) { > rule1 = &rd1->reg_rules[x]; > - for (y = 0; y < rd2->n_reg_rules; y++) { > + for (y = 0; y < rd2->n_reg_rules && rule_idx < num_rules; y++) { > rule2 = &rd2->reg_rules[y]; > /* Does rule_idx ever become > num_rules though? The check that builds num_rules are the same as we traverse and increment rule_idx. Luis -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html