summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPavel Roskin <proski@gnu.org>2009-08-04 23:48:16 +0200
committerJohn W. Linville <linville@tuxdriver.com>2009-08-14 15:06:52 +0200
commit6b26dead3ce97d016b57724b01974d5ca5c84bd5 (patch)
treed6968f04884bcb8bf28f29a6ed8f0dc73ea191ef
parentmac80211: fix panic when splicing unprepared TIDs (diff)
downloadlinux-6b26dead3ce97d016b57724b01974d5ca5c84bd5.tar.xz
linux-6b26dead3ce97d016b57724b01974d5ca5c84bd5.zip
rt2x00: fix memory corruption in rf cache, add a sanity check
Change rt2x00_rf_read() and rt2x00_rf_write() to subtract 1 from the rf register number. This is needed because the rf registers are enumerated starting with one. The size of the rf register cache is just enough to hold all registers, so writing to the highest register was corrupting memory. Add a check to make sure that the rf register number is valid. Signed-off-by: Pavel Roskin <proski@gnu.org> Cc: stable@kernel.org Acked-by: Ivo van Doorn <IvDoorn@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--drivers/net/wireless/rt2x00/rt2x00.h6
1 files changed, 4 insertions, 2 deletions
diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h
index a498dde024e1..49c9e2c1433d 100644
--- a/drivers/net/wireless/rt2x00/rt2x00.h
+++ b/drivers/net/wireless/rt2x00/rt2x00.h
@@ -849,13 +849,15 @@ struct rt2x00_dev {
static inline void rt2x00_rf_read(struct rt2x00_dev *rt2x00dev,
const unsigned int word, u32 *data)
{
- *data = rt2x00dev->rf[word];
+ BUG_ON(word < 1 || word > rt2x00dev->ops->rf_size / sizeof(u32));
+ *data = rt2x00dev->rf[word - 1];
}
static inline void rt2x00_rf_write(struct rt2x00_dev *rt2x00dev,
const unsigned int word, u32 data)
{
- rt2x00dev->rf[word] = data;
+ BUG_ON(word < 1 || word > rt2x00dev->ops->rf_size / sizeof(u32));
+ rt2x00dev->rf[word - 1] = data;
}
/*