Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9736ebfe authored by David Kilroy's avatar David Kilroy Committed by John W. Linville
Browse files

orinoco: Fix walking past the end of the buffer 



Fix walking past the end of the bitrate_table array
in the case when the loop counter == BITRATE_TABLE_SIZE.

Reported by: Denis Kirjanov <dkirjanov@kernel.org>
Signed-off-by: default avatarDavid Kilroy <kilroyd@googlemail.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 0fb9a9ec

drivers/net/wireless/orinoco/hw.c

+6 −3
Original line number Diff line number Diff line
@@ -762,14 +762,17 @@ int orinoco_hw_get_act_bitrate(struct orinoco_private *priv, int *bitrate) 
	case FIRMWARE_TYPE_INTERSIL: /* Intersil style rate */

	case FIRMWARE_TYPE_SYMBOL: /* Symbol style rate */

		for (i = 0; i < BITRATE_TABLE_SIZE; i++)

			if (bitrate_table[i].intersil_txratectrl == val)

			if (bitrate_table[i].intersil_txratectrl == val) {

				*bitrate = bitrate_table[i].bitrate * 100000;

				break;

			}



		if (i >= BITRATE_TABLE_SIZE)

		if (i >= BITRATE_TABLE_SIZE) {

			printk(KERN_INFO "%s: Unable to determine current bitrate (0x%04hx)\n",

			       priv->ndev->name, val);

			err = -EIO;

		}



		*bitrate = bitrate_table[i].bitrate * 100000;

		break;

	default:

		BUG();

drivers/net/wireless/orinoco/wext.c

+9 −2
Original line number Diff line number Diff line
@@ -589,8 +589,15 @@ static int orinoco_ioctl_getrate(struct net_device *dev, 


	/* If the interface is running we try to find more about the

	   current mode */

	if (netif_running(dev))

		err = orinoco_hw_get_act_bitrate(priv, &bitrate);

	if (netif_running(dev)) {

		int act_bitrate;

		int lerr;



		/* Ignore errors if we can't get the actual bitrate */

		lerr = orinoco_hw_get_act_bitrate(priv, &act_bitrate);

		if (!lerr)

			bitrate = act_bitrate;

	}



	orinoco_unlock(priv, &flags);