git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/commit

author	Arnd Bergmann <arnd@arndb.de>
	Mon, 14 Mar 2016 14:18:36 +0000 (15:18 +0100)
committer	Tim Gardner <tim.gardner@canonical.com>
	Thu, 21 Apr 2016 13:20:28 +0000 (07:20 -0600)
commit	08589004630b7ea87dfcd7c76101f6cd0a972be9
tree	ba90d24fc3a5a2b556969f74de7c9db87959ee33	tree
parent	b2bb611d7ac3474c5111f4dfafd86fb224908931	commit \| diff

ath9k: fix buffer overrun for ar9287

BugLink: http://bugs.launchpad.net/bugs/1573034
[ Upstream commit 83d6f1f15f8cce844b0a131cbc63e444620e48b5 ]

Code that was added back in 2.6.38 has an obvious overflow
when accessing a static array, and at the time it was added
only a code comment was put in front of it as a reminder
to have it reviewed properly.

This has not happened, but gcc-6 now points to the specific
overflow:

drivers/net/wireless/ath/ath9k/eeprom.c: In function 'ath9k_hw_get_gain_boundaries_pdadcs':
drivers/net/wireless/ath/ath9k/eeprom.c:483:44: error: array subscript is above array bounds [-Werror=array-bounds]
maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4];
~~~~~~~~~~~~~~~~~~~~~~~~~^~~

It turns out that the correct array length exists in the local
'intercepts' variable of this function, so we can just use that
instead of hardcoding '4', so this patch changes all three
instances to use that variable. The other two instances were
already correct, but it's more consistent this way.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 940cd2c12ebf ("ath9k_hw: merge the ar9287 version of ath9k_hw_get_gain_boundaries_pdadcs")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>