On Tue, May 11, 2010 at 11:51 PM, Gertjan van Wingerde <gwingerde@xxxxxxxxx> wrote: > The buffer address descriptor word is not part of the TXINFO structure > needed for beacons. The current writing of that word for beacons is > therefore an out-of-bounds write. > Fix this by only writing the buffer address descriptor word for TX > queues. > > Signed-off-by: Gertjan van Wingerde <gwingerde@xxxxxxxxx> > --- > drivers/net/wireless/rt2x00/rt61pci.c | 10 +++++----- > 1 files changed, 5 insertions(+), 5 deletions(-) > > diff --git a/drivers/net/wireless/rt2x00/rt61pci.c b/drivers/net/wireless/rt2x00/rt61pci.c > index 2436363..99c2981 100644 > --- a/drivers/net/wireless/rt2x00/rt61pci.c > +++ b/drivers/net/wireless/rt2x00/rt61pci.c > @@ -1801,12 +1801,12 @@ static void rt61pci_write_tx_desc(struct rt2x00_dev *rt2x00dev, > rt2x00_set_field32(&word, TXD_W5_WAITING_DMA_DONE_INT, 1); > rt2x00_desc_write(txd, 5, word); > > - rt2x00_desc_read(txd, 6, &word); > - rt2x00_set_field32(&word, TXD_W6_BUFFER_PHYSICAL_ADDRESS, > - skbdesc->skb_dma); > - rt2x00_desc_write(txd, 6, word); > + if (txdesc->queue != QID_BEACON) { > + rt2x00_desc_read(txd, 6, &word); > + rt2x00_set_field32(&word, TXD_W6_BUFFER_PHYSICAL_ADDRESS, > + skbdesc->skb_dma); > + rt2x00_desc_write(txd, 6, word); > > - if (skbdesc->desc_len > TXINFO_SIZE) { > rt2x00_desc_read(txd, 11, &word); > rt2x00_set_field32(&word, TXD_W11_BUFFER_LENGTH0, > txdesc->length); Shouldn't the check for TXINFO_SIZE be used rather than explicitly checking for the QID? Ivo -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html