ipw2x00: Write outside array bounds

> channel_index loops up to IPW_SCAN_CHANNELS, but is used after being
> incremented. This might be able to access 1 past the end of the array

Reported-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/drivers/net/wireless/ipw2x00/ipw2200.c b/drivers/net/wireless/ipw2x00/ipw2200.c
index 44c29b3..6dcac73 100644 (file)
--- a/drivers/net/wireless/ipw2x00/ipw2200.c
+++ b/drivers/net/wireless/ipw2x00/ipw2200.c
@@ -6226,7 +6226,7 @@ static void ipw_add_scan_channels(struct ipw_priv *priv,
                        };
 
                        u8 channel;
-                       while (channel_index < IPW_SCAN_CHANNELS) {
+                       while (channel_index < IPW_SCAN_CHANNELS - 1) {
                                channel =
                                    priv->speed_scan[priv->speed_scan_pos];
                                if (channel == 0) {