From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Message-Id: <20130507035844.269232170@goodmis.org>
Date: Mon, 06 May 2013 23:57:32 -0400
From: Steven Rostedt <rostedt@goodmis.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Stone Piao <piaoyun@marvell.com>, Bing Zhao <bzhao@marvell.com>,
	"John W. Linville" <linville@tuxdriver.com>
Subject: [020/126] mwifiex: limit channel number not to overflow memory
References: <20130507035712.909872333@goodmis.org>
Content-Disposition: inline; filename=0020-mwifiex-limit-channel-number-not-to-overflow-memory.patch
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

3.6.11.3 stable review patch.
If anyone has any objections, please let me know.

------------------

From: Stone Piao <piaoyun@marvell.com>

[ Upstream commit 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f ]

Limit the channel number in scan request, or the driver scan
config structure memory will be overflowed.

Cc: <stable@vger.kernel.org> # 3.5+
Signed-off-by: Stone Piao <piaoyun@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
 drivers/net/wireless/mwifiex/cfg80211.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/mwifiex/cfg80211.c b/drivers/net/wireless/mwifiex/cfg80211.c
index fe42137..b4719ea 100644
--- a/drivers/net/wireless/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/mwifiex/cfg80211.c
@@ -1487,7 +1487,8 @@ mwifiex_cfg80211_scan(struct wiphy *wiphy,
 		}
 	}
 
-	for (i = 0; i < request->n_channels; i++) {
+	for (i = 0; i < min_t(u32, request->n_channels,
+			      MWIFIEX_USER_SCAN_CHAN_MAX); i++) {
 		chan = request->channels[i];
 		priv->user_scan_cfg->chan_list[i].chan_number = chan->hw_value;
 		priv->user_scan_cfg->chan_list[i].radio_type = chan->band;
-- 
1.7.10.4