orinoco: Fix walking past the end of the buffer
authorDavid Kilroy <kilroyd@googlemail.com>
Sat, 21 Aug 2010 11:08:15 +0000 (12:08 +0100)
committerJohn W. Linville <linville@tuxdriver.com>
Wed, 25 Aug 2010 18:33:17 +0000 (14:33 -0400)
Fix walking past the end of the bitrate_table array
in the case when the loop counter == BITRATE_TABLE_SIZE.

Reported by: Denis Kirjanov <dkirjanov@kernel.org>
Signed-off-by: David Kilroy <kilroyd@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
drivers/net/wireless/orinoco/hw.c
drivers/net/wireless/orinoco/wext.c

index 077baa8..b4772c1 100644 (file)
@@ -762,14 +762,17 @@ int orinoco_hw_get_act_bitrate(struct orinoco_private *priv, int *bitrate)
        case FIRMWARE_TYPE_INTERSIL: /* Intersil style rate */
        case FIRMWARE_TYPE_SYMBOL: /* Symbol style rate */
                for (i = 0; i < BITRATE_TABLE_SIZE; i++)
-                       if (bitrate_table[i].intersil_txratectrl == val)
+                       if (bitrate_table[i].intersil_txratectrl == val) {
+                               *bitrate = bitrate_table[i].bitrate * 100000;
                                break;
+                       }
 
-               if (i >= BITRATE_TABLE_SIZE)
+               if (i >= BITRATE_TABLE_SIZE) {
                        printk(KERN_INFO "%s: Unable to determine current bitrate (0x%04hx)\n",
                               priv->ndev->name, val);
+                       err = -EIO;
+               }
 
-               *bitrate = bitrate_table[i].bitrate * 100000;
                break;
        default:
                BUG();
index cf7be1e..93505f9 100644 (file)
@@ -589,8 +589,15 @@ static int orinoco_ioctl_getrate(struct net_device *dev,
 
        /* If the interface is running we try to find more about the
           current mode */
-       if (netif_running(dev))
-               err = orinoco_hw_get_act_bitrate(priv, &bitrate);
+       if (netif_running(dev)) {
+               int act_bitrate;
+               int lerr;
+
+               /* Ignore errors if we can't get the actual bitrate */
+               lerr = orinoco_hw_get_act_bitrate(priv, &act_bitrate);
+               if (!lerr)
+                       bitrate = act_bitrate;
+       }
 
        orinoco_unlock(priv, &flags);