ipw2x00: Write outside array bounds > channel_index loops up to IPW_SCAN_CHANNELS, but is used after being > incremented. This might be able to access 1 past the end of the array Reported-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>

commit: 7dd2459d8f7a967bcd1466591aec72bb3ddc07cc [log] [tgz]
author: Zhu Yi <yi.zhu@intel.com> Mon Jul 27 10:10:20 2009 +0800
committer: John W. Linville <linville@tuxdriver.com> Fri Aug 07 13:09:28 2009 -0400
tree: c07513130a369e62e0ea9fbc6522ade3321700ca
parent: 0bf52b981770cbf006323bab5177f2858a196766 [diff] [blame]
diff --git a/drivers/net/wireless/ipw2x00/ipw2200.c b/drivers/net/wireless/ipw2x00/ipw2200.c
index 44c29b3..6dcac73 100644
--- a/drivers/net/wireless/ipw2x00/ipw2200.c
+++ b/drivers/net/wireless/ipw2x00/ipw2200.c

@@ -6226,7 +6226,7 @@
 			};
 
 			u8 channel;
-			while (channel_index < IPW_SCAN_CHANNELS) {
+			while (channel_index < IPW_SCAN_CHANNELS - 1) {
 				channel =
 				    priv->speed_scan[priv->speed_scan_pos];
 				if (channel == 0) {
commit	7dd2459d8f7a967bcd1466591aec72bb3ddc07cc	[log] [tgz]
author	Zhu Yi <yi.zhu@intel.com>	Mon Jul 27 10:10:20 2009 +0800
committer	John W. Linville <linville@tuxdriver.com>	Fri Aug 07 13:09:28 2009 -0400
tree	c07513130a369e62e0ea9fbc6522ade3321700ca
parent	0bf52b981770cbf006323bab5177f2858a196766 [diff] [blame]