From: John W. Linville Date: Thu, 14 Jan 2010 22:00:54 +0000 (-0500) Subject: Revert "iwmc3200wifi: fix array out-of-boundary access" X-Git-Tag: v3.12-rc1~11246^2~49^2~290 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=79b6a5110abf6fd4454ba34e0960783a4a2c801a;p=kernel%2Fkernel-generic.git Revert "iwmc3200wifi: fix array out-of-boundary access" This reverts commit 6c853da3f30c93eae847ecbcd9fdf10ba0da04c2. From Message-ID: <1262663293.551.117.camel@debian> On Sat, 2010-01-02 at 22:09 +0800, Dan Carpenter wrote: > It don't think 6c853da3f30c93 is right. That's the patch > titled "iwmc3200wifi: fix array out-of-boundary access" > > Allocate priv->rx_packets[IWM_RX_ID_HASH + 1] because the max array > index is IWM_RX_ID_HASH according to IWM_RX_ID_GET_HASH(). > > In 2.6.33-rc2 IWM_RX_ID_GET_HASH() doesn't go as high as IWM_RX_ID_HASH > and I don't see any array out-of-bounds. > > #define IWM_RX_ID_GET_HASH(id) ((id) % IWM_RX_ID_HASH) Ah, you are right. I took '%' for '&'. John, would you revert it? Sorry for the false alarm. Thanks, -yi Reported-by: Dan Carpenter Reviewed-by: Zhu Yi Signed-off-by: John W. Linville --- diff --git a/drivers/net/wireless/iwmc3200wifi/iwm.h b/drivers/net/wireless/iwmc3200wifi/iwm.h index 8428111..79ffa3b 100644 --- a/drivers/net/wireless/iwmc3200wifi/iwm.h +++ b/drivers/net/wireless/iwmc3200wifi/iwm.h @@ -268,7 +268,7 @@ struct iwm_priv { struct sk_buff_head rx_list; struct list_head rx_tickets; - struct list_head rx_packets[IWM_RX_ID_HASH + 1]; + struct list_head rx_packets[IWM_RX_ID_HASH]; struct workqueue_struct *rx_wq; struct work_struct rx_worker;