ath9k_hw: Fix bug in eeprom data length validation for AR9485

The size of the eeprom data is 1088 bytes for AR9485. But a sanity check is done against 4K which would result in a 'potential read past the end of the buffer' smatch complaint. Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Vasanthakumar Thiagarajan <vasanth@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
git-mirror · Dec 22, 2010 · d0ce2d1 · d0ce2d1
1 parent 0207c0c
commit d0ce2d1
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
@@ -59,6 +59,8 @@
 
 #define CTL(_tpower, _flag) ((_tpower) | ((_flag) << 6))
 
+#define EEPROM_DATA_LEN_9485	1088
+
 static int ar9003_hw_power_interpolate(int32_t x,
 				       int32_t *px, int32_t *py, u_int16_t np);
 
@@ -3367,7 +3369,7 @@ static int ar9300_eeprom_restore_internal(struct ath_hw *ah,
 			"Found block at %x: code=%d ref=%d length=%d major=%d minor=%d\n",
 			cptr, code, reference, length, major, minor);
 		if ((!AR_SREV_9485(ah) && length >= 1024) ||
-		    (AR_SREV_9485(ah) && length >= (4 * 1024))) {
+		    (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485)) {
 			ath_dbg(common, ATH_DBG_EEPROM,
 				"Skipping bad header\n");
 			cptr -= COMP_HDR_LEN;