From: Dan Carpenter Date: Sun, 3 Jan 2010 09:19:35 +0000 (+0200) Subject: iwl: off by one bug X-Git-Tag: v2.6.33-rc5~71^2~13^2~17 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=8a9ac160e844c7ce8074f6aa531feefb4acdee7c;p=profile%2Fivi%2Fkernel-x86-ivi.git iwl: off by one bug tid is used as an array offset. agg = &priv->stations[sta_id].tid[tid].agg; iwl4965_tx_status_reply_tx(priv, agg, tx_resp, txq_id, index); It should be limitted to MAX_TID_COUNT - 1; struct iwl_tid_data tid[MAX_TID_COUNT]; regards, dan carpenter Signed-off-by: Dan Carpenter CC: stable@kernel.org Signed-off-by: John W. Linville --- diff --git a/drivers/net/wireless/iwlwifi/iwl-4965.c b/drivers/net/wireless/iwlwifi/iwl-4965.c index 484c5fdf7c2..761aab127e7 100644 --- a/drivers/net/wireless/iwlwifi/iwl-4965.c +++ b/drivers/net/wireless/iwlwifi/iwl-4965.c @@ -1961,7 +1961,7 @@ static void iwl4965_rx_reply_tx(struct iwl_priv *priv, struct ieee80211_tx_info *info; struct iwl4965_tx_resp *tx_resp = (void *)&pkt->u.raw[0]; u32 status = le32_to_cpu(tx_resp->u.status); - int tid = MAX_TID_COUNT; + int tid = MAX_TID_COUNT - 1; int sta_id; int freed; u8 *qc = NULL;