The size of the eeprom data is 1088 bytes for AR9485. But
a sanity check is done against 4K which would result in a
'potential read past the end of the buffer' smatch complaint.
Reported-by: Dan Carpenter <error27@xxxxxxxxx>
Signed-off-by: Vasanthakumar Thiagarajan <vasanth@xxxxxxxxxxx>
---
drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
index f80ec74..579a033 100644
--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
+++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
@@ -59,6 +59,8 @@
#define CTL(_tpower, _flag) ((_tpower) | ((_flag) << 6))
+#define EEPROM_DATA_LEN_9485 1088
+
static int ar9003_hw_power_interpolate(int32_t x,
int32_t *px, int32_t *py, u_int16_t np);
@@ -3367,7 +3369,7 @@ found:
"Found block at %x: code=%d ref=%d length=%d major=%d minor=%d\n",
cptr, code, reference, length, major, minor);
if ((!AR_SREV_9485(ah) && length >= 1024) ||
- (AR_SREV_9485(ah) && length >= (4 * 1024))) {
+ (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485)) {
ath_dbg(common, ATH_DBG_EEPROM,
"Skipping bad header\n");
cptr -= COMP_HDR_LEN;
--
1.7.0.4
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
