> -----Original Message----- > From: Zhu, Yi > Sent: Monday, July 27, 2009 4:42 AM > To: Roel Kluin; Winkler, Tomas; Chatre, Reinette > Cc: linux-wireless@xxxxxxxxxxxxxxx; ipw3945-devel@xxxxxxxxxxxxxxxxxxxxx; > Andrew Morton > Subject: Re: [PATCH] iwlwifi: Read outside array bounds > > On Sun, 2009-07-26 at 05:34 +0800, Roel Kluin wrote: > > tid is bounded (above) by the size of default_tid_to_tx_fifo (17 > elements), but > > the size of priv->stations[].tid[] is MAX_TID_COUNT (9) elements. > > I think MAX_TID_COUNT should be defined as 16 or 17. Tomas? > In general it's 16. In practice we use only 8. Tomas > Thanks, > -yi > > > Signed-off-by: Roel Kluin <roel.kluin@xxxxxxxxx> > > --- > > diff --git a/drivers/net/wireless/iwlwifi/iwl-tx.c > b/drivers/net/wireless/iwlwifi/iwl-tx.c > > index 85ae7a6..e9441c6 100644 > > --- a/drivers/net/wireless/iwlwifi/iwl-tx.c > > +++ b/drivers/net/wireless/iwlwifi/iwl-tx.c > > @@ -1170,6 +1170,8 @@ int iwl_tx_agg_start(struct iwl_priv *priv, > const u8 *ra, u16 tid, u16 *ssn) > > IWL_ERR(priv, "Start AGG on invalid station > > "); > > return -ENXIO; > > } > > + if (unlikely(tid >= MAX_TID_COUNT)) > > + return -EINVAL; > > > > if (priv->stations[sta_id].tid[tid].agg.state != IWL_AGG_OFF) { > > IWL_ERR(priv, "Start AGG when state is not IWL_AGG_OFF ! > > "); --------------------------------------------------------------------- Intel Israel (74) Limited This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html