Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f8adaf0a authored by Emil Goode's avatar Emil Goode Committed by John W. Linville
Browse files

brcmfmac: Fix off by one bug in brcmf_count_20mhz_channels() 



In the brcmf_count_20mhz_channels function we are looping through a list
of channels received from firmware. Since the index of the first channel
is 0 the condition leads to an off by one bug. This is causing us to hit
the WARN_ON_ONCE(1) calls in the brcmu_d11n_decchspec function, which is
how I discovered the bug.

Introduced by:
commit b48d8916
("brcmfmac: rework wiphy structure setup")

Acked-by: default avatarArend van Spriel <arend@broadcom.com>
Signed-off-by: default avatarEmil Goode <emilgoode@gmail.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 2ba7d144

drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c

+1 −1
Original line number Diff line number Diff line
@@ -4921,7 +4921,7 @@ static void brcmf_count_20mhz_channels(struct brcmf_cfg80211_info *cfg, 
	struct brcmu_chan ch;

	int i;



	for (i = 0; i <= total; i++) {

	for (i = 0; i < total; i++) {

		ch.chspec = (u16)le32_to_cpu(chlist->element[i]);

		cfg->d11inf.decchspec(&ch);