From: Stone Piao <piaoyun@marvell.com>
Date: Sat, 30 Mar 2013 02:21:21 +0000 (-0700)
Subject: mwifiex: limit channel number not to overflow memory
X-Git-Tag: firefly_0821_release~3680^2~707^2~11^2^2~17
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f;p=firefly-linux-kernel-4.4.55.git

mwifiex: limit channel number not to overflow memory

Limit the channel number in scan request, or the driver scan
config structure memory will be overflowed.

Cc: <stable@vger.kernel.org> # 3.5+
Signed-off-by: Stone Piao <piaoyun@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---

diff --git a/drivers/net/wireless/mwifiex/cfg80211.c b/drivers/net/wireless/mwifiex/cfg80211.c
index a44023a7bd57..8aaf56ade4d9 100644
--- a/drivers/net/wireless/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/mwifiex/cfg80211.c
@@ -1892,7 +1892,8 @@ mwifiex_cfg80211_scan(struct wiphy *wiphy,
 		}
 	}
 
-	for (i = 0; i < request->n_channels; i++) {
+	for (i = 0; i < min_t(u32, request->n_channels,
+			      MWIFIEX_USER_SCAN_CHAN_MAX); i++) {
 		chan = request->channels[i];
 		priv->user_scan_cfg->chan_list[i].chan_number = chan->hw_value;
 		priv->user_scan_cfg->chan_list[i].radio_type = chan->band;