If "resp_len" gets set to negative then it counts as a high positive value. Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> --- I spotted this reviewing the int => bool changes, but I don't have the hardware and can't test it. diff --git a/drivers/net/wireless/mwifiex/wmm.c b/drivers/net/wireless/mwifiex/wmm.c index 2e8f9cd..3c6ee3a 100644 --- a/drivers/net/wireless/mwifiex/wmm.c +++ b/drivers/net/wireless/mwifiex/wmm.c @@ -772,6 +772,8 @@ int mwifiex_ret_wmm_get_status(struct mwifiex_private *priv, break; } + if (resp_len < tlv_len + sizeof(tlv_hdr->header)) + break; curr += (tlv_len + sizeof(tlv_hdr->header)); resp_len -= (tlv_len + sizeof(tlv_hdr->header)); } -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
