From: Christian Lamparter <chunkeey@googlemail.com>
Date: Mon, 26 Jul 2010 21:43:28 +0000 (+0200)
Subject: carl9170 firmware: fix array-out-of-bounds bug
X-Git-Tag: 1.7.3~3
X-Git-Url: https://jxself.org/git/?p=carl9170fw.git;a=commitdiff_plain;h=a4cf4c3aa345a046f8f4d3d1eb66edb590b62554

carl9170 firmware: fix array-out-of-bounds bug

This patch fixes an out-of-bounds access which would occur
if the driver sets queue to 6 or 7. Additionally, the
transmission status report has only reserved 2 bits for
reporting this information.

Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
---

diff --git a/include/shared/wlan.h b/include/shared/wlan.h
index fbfee17..5127c3a 100644
--- a/include/shared/wlan.h
+++ b/include/shared/wlan.h
@@ -248,7 +248,8 @@ struct carl9170_tx_superdesc {
 	u8 ampdu_commit_density:1;
 	u8 ampdu_commit_factor:1;
 	u8 ampdu_unused_bit:1;
-	u8 queue:3;
+	u8 queue:2;
+	u8 reserved:1;
 	u8 vif_id:3;
 	u8 fill_in_tsf:1;
 	u8 cab:1;
@@ -294,7 +295,7 @@ struct _ar9170_tx_hwdesc {
 #define	CARL9170_TX_SUPER_AMPDU_COMMIT_FACTOR		0x40
 #define	CARL9170_TX_SUPER_AMPDU_COMMIT_FACTOR_S		6
 
-#define CARL9170_TX_SUPER_MISC_QUEUE			0x7
+#define CARL9170_TX_SUPER_MISC_QUEUE			0x3
 #define CARL9170_TX_SUPER_MISC_QUEUE_S			0
 #define	CARL9170_TX_SUPER_MISC_VIF_ID			0x38
 #define	CARL9170_TX_SUPER_MISC_VIF_ID_S			3
@@ -402,8 +403,6 @@ enum ar9170_txq {
 	AR9170_TXQ_BK,
 
 	__AR9170_NUM_TXQ,
-
-	AR9170_TXQ_MGMT = 4,
 };
 
 static const u8 ar9170_qmap[__AR9170_NUM_TXQ] = { 2, 1, 0, 3 };