ath6kl: fix reading of FW IE capabilities

For some strange reason I used ALIGN() to calculate index to the
buffer. That is totally bogus and wouldn't work when it tried to read
the second bit. Fix it by removing the ALIGN() altogether.

Also check that ie_len is not too short.

Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>

diff --git a/drivers/net/wireless/ath/ath6kl/init.c b/drivers/net/wireless/ath/ath6kl/init.c
index c97f83c..5753f00 100644 (file)
--- a/drivers/net/wireless/ath/ath6kl/init.c
+++ b/drivers/net/wireless/ath/ath6kl/init.c
@@ -913,12 +913,15 @@ static int ath6kl_fetch_fw_api2(struct ath6kl *ar)
                                   ar->hw.reserved_ram_size);
                        break;
                case ATH6KL_FW_IE_CAPABILITIES:
+                       if (ie_len < DIV_ROUND_UP(ATH6KL_FW_CAPABILITY_MAX, 8))
+                               break;
+
                        ath6kl_dbg(ATH6KL_DBG_BOOT,
                                   "found firmware capabilities ie (%zd B)\n",
                                   ie_len);
 
                        for (i = 0; i < ATH6KL_FW_CAPABILITY_MAX; i++) {
-                               index = ALIGN(i, 8) / 8;
+                               index = i / 8;
                                bit = i % 8;
 
                                if (data[index] & (1 << bit))