It don't think 6c853da3f30c93 is right. That's the patch
titled "iwmc3200wifi: fix array out-of-boundary access"
Allocate priv->rx_packets[IWM_RX_ID_HASH + 1] because the max array
index is IWM_RX_ID_HASH according to IWM_RX_ID_GET_HASH().
In 2.6.33-rc2 IWM_RX_ID_GET_HASH() doesn't go as high as IWM_RX_ID_HASH
and I don't see any array out-of-bounds.
#define IWM_RX_ID_GET_HASH(id) ((id) % IWM_RX_ID_HASH)
All the other code has the same assumptions.
Cscope tag: IWM_RX_ID_HASH
# line filename / context / line
1 175 drivers/net/wireless/iwmc3200wifi/iwm.h <<GLOBAL>>
#define IWM_RX_ID_HASH 0xff
2 271 drivers/net/wireless/iwmc3200wifi/iwm.h <<GLOBAL>>
struct list_head rx_packets[IWM_RX_ID_HASH];
3 292 drivers/net/wireless/iwmc3200wifi/debugfs.c <<iwm_debugfs_rx_ticket_read>>
for (i = 0; i < IWM_RX_ID_HASH; i++) {
4 176 drivers/net/wireless/iwmc3200wifi/iwm.h <<IWM_RX_ID_GET_HASH>>
#define IWM_RX_ID_GET_HASH(id) ((id) % IWM_RX_ID_HASH)
5 279 drivers/net/wireless/iwmc3200wifi/main.c <<iwm_priv_init>>
for (i = 0; i < IWM_RX_ID_HASH; i++)
6 396 drivers/net/wireless/iwmc3200wifi/rx.c <<iwm_rx_free>>
for (i = 0; i < IWM_RX_ID_HASH; i++) {
regards,
dan carpenter
On Sat, 2010-01-02 at 22:09 +0800, Dan Carpenter wrote:
> It don't think 6c853da3f30c93 is right. That's the patch
> titled "iwmc3200wifi: fix array out-of-boundary access"
>
> Allocate priv->rx_packets[IWM_RX_ID_HASH + 1] because the max array
> index is IWM_RX_ID_HASH according to IWM_RX_ID_GET_HASH().
>
> In 2.6.33-rc2 IWM_RX_ID_GET_HASH() doesn't go as high as IWM_RX_ID_HASH
> and I don't see any array out-of-bounds.
>
> #define IWM_RX_ID_GET_HASH(id) ((id) % IWM_RX_ID_HASH)
Ah, you are right. I took '%' for '&'. John, would you revert it? Sorry
for the false alarm.
Thanks,
-yi