From patchwork Sat Jul 25 21:48:32 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Roel Kluin <roel.kluin@gmail.com>
X-Patchwork-Id: 37367
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n6PLk0gu000912
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Sat, 25 Jul 2009 21:46:00 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751696AbZGYVp6 (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Sat, 25 Jul 2009 17:45:58 -0400
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751931AbZGYVp6
	(ORCPT <rfc822;linux-wireless-outgoing>);
	Sat, 25 Jul 2009 17:45:58 -0400
Received: from mail-ew0-f226.google.com ([209.85.219.226]:54129 "EHLO
	mail-ew0-f226.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751522AbZGYVp5 (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Sat, 25 Jul 2009 17:45:57 -0400
Received: by ewy26 with SMTP id 26so2440131ewy.37
	for <linux-wireless@vger.kernel.org>;
	Sat, 25 Jul 2009 14:45:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from
	:user-agent:mime-version:to:subject:content-type
	:content-transfer-encoding;
	bh=Bhn88ZCd4ePaeJotuQ3asVR+V7r8v3k8HpnSDlXRf/A=;
	b=kO4PRAQSJD2sUdjmUTyQJ0VDRE+Rpe39ivzHXMrg1jzEL8CNbgi4CQSEOLxqCwO+j5
	tPzfFkaMctM8hU/ozgo3C1Ee3j/bcMF9pK341gE+jW/oWt/2SeqCJRpWlgcIKiTYMOF5
	uQo9/RZnkc2EIwz1zL4pAIwzF/gx3qXavAvTI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:user-agent:mime-version:to:subject
	:content-type:content-transfer-encoding;
	b=doutlpNRaq4WNVGDMSbkDmNer0KjUyj2u4b22vfE/bATT7eUXt6F6EQIi1829IR06B
	MaVqFLao0D+AHjMbesTlO65nSleQo/4qs4+K59heH7tnS2JuxrwnuLd/eLi/t9f/J2jO
	kHMM3u7ujfEEdXFVqALyQVvdf9EAMqzx6Exr4=
Received: by 10.210.66.10 with SMTP id o10mr2850399eba.65.1248558357109;
	Sat, 25 Jul 2009 14:45:57 -0700 (PDT)
Received: from zoinx.mars (d133062.upc-d.chello.nl [213.46.133.62])
	by mx.google.com with ESMTPS id 5sm2169344eyh.40.2009.07.25.14.45.56
	(version=SSLv3 cipher=RC4-MD5);
	Sat, 25 Jul 2009 14:45:56 -0700 (PDT)
Message-ID: <4A6B7DB0.7090902@gmail.com>
Date: Sat, 25 Jul 2009 23:48:32 +0200
From: Roel Kluin <roel.kluin@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.1b3pre) Gecko/20090513 Fedora/3.0-2.3.beta2.fc11
	Thunderbird/3.0b2
MIME-Version: 1.0
To: yi.zhu@intel.com, linux-wireless@vger.kernel.org,
	ipw2100-devel@lists.sourceforge.net,
	Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH] ipw2x00: Write outside array bounds
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

channel_index loops up to IPW_SCAN_CHANNELS, but is used after being
incremented. This might be able to access 1 past the end of the array

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/net/wireless/ipw2x00/ipw2200.c b/drivers/net/wireless/ipw2x00/ipw2200.c
index 44c29b3..d1c9d6d 100644
--- a/drivers/net/wireless/ipw2x00/ipw2200.c
+++ b/drivers/net/wireless/ipw2x00/ipw2200.c
@@ -6249,7 +6249,10 @@ static void ipw_add_scan_channels(struct ipw_priv *priv,
 
 				channels[channel - 1] = 1;
 				priv->speed_scan_pos++;
-				channel_index++;
+
+				if (++channel_index >= IPW_SCAN_CHANNELS)
+					break;
+
 				scan->channels_list[channel_index] = channel;
 				index =
 				    ieee80211_channel_to_index(priv->ieee, channel);