On Thu, Dec 6, 2012 at 8:47 AM, Johannes Berg <johannes@xxxxxxxxxxxxxxxx> wrote:
> From: Johannes Berg <johannes.berg@xxxxxxxxx>
>
> When intersecting rules, we count first to know how many
> rules need to be allocated, and then do the intersection
> into the allocated array. However, the code doing this
> writes past the end of the array because it attempts to
> do all intersections. Make it stop when the right number
> of rules has been reached.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Acked-by: Luis R. Rodriguez <mcgrof@xxxxxxxxxxxxxxxx>
A comment below though.
> ---
> net/wireless/reg.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/wireless/reg.c b/net/wireless/reg.c
> index b6c7ea6..4197359 100644
> --- a/net/wireless/reg.c
> +++ b/net/wireless/reg.c
> @@ -648,9 +648,9 @@ static struct ieee80211_regdomain *regdom_intersect(
> if (!rd)
> return NULL;
>
> - for (x = 0; x < rd1->n_reg_rules; x++) {
> + for (x = 0; x < rd1->n_reg_rules && rule_idx < num_rules; x++) {
> rule1 = &rd1->reg_rules[x];
> - for (y = 0; y < rd2->n_reg_rules; y++) {
> + for (y = 0; y < rd2->n_reg_rules && rule_idx < num_rules; y++) {
> rule2 = &rd2->reg_rules[y];
> /*
Does rule_idx ever become > num_rules though? The check that builds
num_rules are the same as we traverse and increment rule_idx.
Luis
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
