On Thu, 2012-12-06 at 15:43 -0800, Luis R. Rodriguez wrote:
> > diff --git a/net/wireless/reg.c b/net/wireless/reg.c
> > index b6c7ea6..4197359 100644
> > --- a/net/wireless/reg.c
> > +++ b/net/wireless/reg.c
> > @@ -648,9 +648,9 @@ static struct ieee80211_regdomain *regdom_intersect(
> > if (!rd)
> > return NULL;
> >
> > - for (x = 0; x < rd1->n_reg_rules; x++) {
> > + for (x = 0; x < rd1->n_reg_rules && rule_idx < num_rules; x++) {
> > rule1 = &rd1->reg_rules[x];
> > - for (y = 0; y < rd2->n_reg_rules; y++) {
> > + for (y = 0; y < rd2->n_reg_rules && rule_idx < num_rules; y++) {
> > rule2 = &rd2->reg_rules[y];
> > /*
>
> Does rule_idx ever become > num_rules though? The check that builds
> num_rules are the same as we traverse and increment rule_idx.
It doesn't become great, but it becomes equal. Say you have the
following rules:
rd1: 1000-2000, 3000-4000
rd2: 1000-1500, 5000-6000
The result will be 1000-1500, so 1 rule. But while iterating, that's the
very first thing, so rule_idx becomes 1 after the first iteration of the
inner/outer loops, and then without the fix we still check 1000-2000 vs.
5000-6000, 3000-4000 vs. 1000-1500 and finally 3000-4000 vs. 5000-6000
and rule_idx is 1 all the time while checking that so we write past the
array ...
This makes it stop when it knows it has found the right number of rules.
johannes
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
