regulatory: don't write past array when intersecting rules

When intersecting rules, we count first to know how many
rules need to be allocated, and then do the intersection
into the allocated array. However, the code doing this
writes past the end of the array because it attempts to
do all intersections. Make it stop when the right number
of rules has been reached.

Acked-by: Luis R. Rodriguez <mcgrof@do-not-panic.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 6e53089..40646e8 100644 (file)
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -647,9 +647,9 @@ static struct ieee80211_regdomain *regdom_intersect(
        if (!rd)
                return NULL;
 
-       for (x = 0; x < rd1->n_reg_rules; x++) {
+       for (x = 0; x < rd1->n_reg_rules && rule_idx < num_rules; x++) {
                rule1 = &rd1->reg_rules[x];
-               for (y = 0; y < rd2->n_reg_rules; y++) {
+               for (y = 0; y < rd2->n_reg_rules && rule_idx < num_rules; y++) {
                        rule2 = &rd2->reg_rules[y];
                        /*
                         * This time around instead of using the stack lets