ath6kl: fix reading of FW IE capabilities
authorKalle Valo <kvalo@qca.qualcomm.com>
Tue, 13 Dec 2011 12:51:58 +0000 (14:51 +0200)
committerKalle Valo <kvalo@qca.qualcomm.com>
Tue, 13 Dec 2011 13:03:48 +0000 (15:03 +0200)
For some strange reason I used ALIGN() to calculate index to the
buffer. That is totally bogus and wouldn't work when it tried to read
the second bit. Fix it by removing the ALIGN() altogether.

Also check that ie_len is not too short.

Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
drivers/net/wireless/ath/ath6kl/init.c

index c97f83ca0ff271870852747cce36170fd4ccaff3..5753f00a0c0dbf8cec606154ced4d6fca7536a6d 100644 (file)
@@ -913,12 +913,15 @@ static int ath6kl_fetch_fw_api2(struct ath6kl *ar)
                                   ar->hw.reserved_ram_size);
                        break;
                case ATH6KL_FW_IE_CAPABILITIES:
+                       if (ie_len < DIV_ROUND_UP(ATH6KL_FW_CAPABILITY_MAX, 8))
+                               break;
+
                        ath6kl_dbg(ATH6KL_DBG_BOOT,
                                   "found firmware capabilities ie (%zd B)\n",
                                   ie_len);
 
                        for (i = 0; i < ATH6KL_FW_CAPABILITY_MAX; i++) {
-                               index = ALIGN(i, 8) / 8;
+                               index = i / 8;
                                bit = i % 8;
 
                                if (data[index] & (1 << bit))