From patchwork Fri Jul 29 08:52:18 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dan Carpenter <error27@gmail.com>
X-Patchwork-Id: 1019282
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by demeter2.kernel.org (8.14.4/8.14.4) with ESMTP id p6T8sUEd026757
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Fri, 29 Jul 2011 08:54:30 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755642Ab1G2IyV (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Fri, 29 Jul 2011 04:54:21 -0400
Received: from mail-pz0-f42.google.com ([209.85.210.42]:60875 "EHLO
	mail-pz0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755542Ab1G2IyU (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Fri, 29 Jul 2011 04:54:20 -0400
Received: by pzk37 with SMTP id 37so6022127pzk.1
	for <multiple recipients>; Fri, 29 Jul 2011 01:54:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=date:from:to:cc:subject:message-id:mime-version:content-type
	:content-disposition:user-agent;
	bh=r5myNfQs6r0Uxtvovep6tVPV1DJr8wjFGb2fAkHvpKo=;
	b=KryDiDqi2G5DuNcn2FD6mHQDEwQEcvwl7iIqjoBpFHyVp7rqVoTcylf4WgYvog7y6i
	xNEd5WCFMjqZ1bTtrGVanzVUE/FRCYzJZr6svcoH4G/Y7oDk4Jkt6zPmjaPdMkDRmb9p
	sEnvYzCFSbAbxFVDben7Mi1v0PYf4Np5TiMsU=
Received: by 10.68.65.166 with SMTP id y6mr1841269pbs.247.1311929659880;
	Fri, 29 Jul 2011 01:54:19 -0700 (PDT)
Received: from shale.localdomain ([41.139.221.94])
	by mx.google.com with ESMTPS id v2sm1709076pbi.3.2011.07.29.01.54.13
	(version=TLSv1/SSLv3 cipher=OTHER);
	Fri, 29 Jul 2011 01:54:19 -0700 (PDT)
Date: Fri, 29 Jul 2011 11:52:18 +0300
From: Dan Carpenter <error27@gmail.com>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: "John W. Linville" <linville@tuxdriver.com>,
	"David S. Miller" <davem@davemloft.net>,
	"open list:CFG80211 and NL80211" <linux-wireless@vger.kernel.org>,
	"open list:NETWORKING [GENERAL]" <netdev@vger.kernel.org>,
	kernel-janitors@vger.kernel.org
Subject: [patch] cfg80211: off by one in nl80211_trigger_scan()
Message-ID: <20110729085217.GG3752@shale.localdomain>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by
	milter-greylist-4.2.6 (demeter2.kernel.org [140.211.167.43]);
	Fri, 29 Jul 2011 08:54:30 +0000 (UTC)

The test is off by one so we'd read past the end of the
wiphy->bands[] array on the next line.

Signed-off-by: Dan Carpenter <error27@gmail.com>
---
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 28d2aa1..e83e7fe 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3464,7 +3464,7 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
 				    tmp) {
 			enum ieee80211_band band = nla_type(attr);
 
-			if (band < 0 || band > IEEE80211_NUM_BANDS) {
+			if (band < 0 || band >= IEEE80211_NUM_BANDS) {
 				err = -EINVAL;
 				goto out_free;
 			}