On Thu, Feb 26, 2009 at 6:19 PM, Jiri Slaby <jirislaby@xxxxxxxxx> wrote: > On 27.2.2009 00:15, Bob Copeland wrote: >> Speaking of, I think there's another potential oob array access at: >> >> if (rxs.rate_idx>= 0&& rs.rs_rate == >> sc->curband->bitrates[rxs.rate_idx].hw_value_short) >> rxs.flag |= RX_FLAG_SHORTPRE; >> >> because sc->rate_idx is u8 instead of s8. > > strcmp("sc->rate_idx", "rxs.rate_idx") != 0 :) > > Or did I miss something? :) Sorry, I should've been clearer. hw_to_driver_rix() returns sc->rate_idx[x][y] as an int, and that array is initialized to (u8)-1 for invalid rates. So, it can return 255 if the hardware rate index (y) is bad, then the check "rxs.rate_idx >= 0" would always be true, right? If it's not a real bug yet, it likely will be one day :) -- Bob Copeland %% www.bobcopeland.com -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html