From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 18 Apr 2012 06:48:59 +0000 (+0300)
Subject: Staging: wlan-ng: off by one in prism2mgmt_scan_results()
X-Git-Tag: v3.5-rc1~145^2~229^2~151
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=bb46f130a033ed812ccc24f5fd4f34648650d240;p=platform%2Fkernel%2Flinux-3.10.git

Staging: wlan-ng: off by one in prism2mgmt_scan_results()

Count is used to cap "req->bssindex.data" which is used as an offset
into the hw->scanresults->info.hscanresult.result[] array.  The array
has only HFA384x_SCANRESULT_MAX (31) elements so the 32 is off by one.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/staging/wlan-ng/prism2mgmt.c b/drivers/staging/wlan-ng/prism2mgmt.c
index c3bb05d..4efa9bc 100644
--- a/drivers/staging/wlan-ng/prism2mgmt.c
+++ b/drivers/staging/wlan-ng/prism2mgmt.c
@@ -380,8 +380,8 @@ int prism2mgmt_scan_results(wlandevice_t *wlandev, void *msgp)
 	}
 
 	count = (hw->scanresults->framelen - 3) / 32;
-	if (count > 32)
-		count = 32;
+	if (count > HFA384x_SCANRESULT_MAX)
+		count = HFA384x_SCANRESULT_MAX;
 
 	if (req->bssindex.data >= count) {
 		pr_debug("requested index (%d) out of range (%d)\n",