From: Tom Li <biergaizi2009@gmail.com>
Date: Fri, 23 May 2014 15:48:39 +0000 (+0800)
Subject: Fix Array Out of Bounds in rcSibUpdate_ht()
X-Git-Tag: 1.4.0~7^2
X-Git-Url: https://jxself.org/git/?p=open-ath9k-htc-firmware.git;a=commitdiff_plain;h=08e85cbbdcfce9eadf43a9503879bce75e33d339

Fix Array Out of Bounds in rcSibUpdate_ht()

In rcSibUpdate_ht(), we clear
validPhyRateIndex[WLAN_RC_PHY_MAX][MAX_TX_RATE_PHY]
by a for loop.

But, validPhyRateIndex was defined with
validPhyRateIndex[WLAN_RC_PHY_MAX][MAX_TX_RATE_TBL],
and MAX_TX_RATE_TBL is always greater than MAX_TX_RATE_PHY,
caused the out of bounds array access.

This commit corrects MAX_TX_RATE_PHY to MAX_TX_RATE_TBL,
and remove MAX_TX_RATE_PHY from ratectrl.h because it is
no longer be used.

Signed-off-by: Tom Li <biergaizi@member.fsf.org>
---

diff --git a/target_firmware/wlan/ratectrl.h b/target_firmware/wlan/ratectrl.h
index 3b3f5ea..08b5457 100755
--- a/target_firmware/wlan/ratectrl.h
+++ b/target_firmware/wlan/ratectrl.h
@@ -117,10 +117,8 @@ enum {
 
 #ifdef MAGPIE_MERLIN  
 #define MAX_TX_RATE_TBL         46
-#define MAX_TX_RATE_PHY         48
 #else
 #define MAX_TX_RATE_TBL         54//46
-#define MAX_TX_RATE_PHY         56//48
 #endif
 
 /*
diff --git a/target_firmware/wlan/ratectrl_11n_ln.c b/target_firmware/wlan/ratectrl_11n_ln.c
index 277b184..de10a27 100755
--- a/target_firmware/wlan/ratectrl_11n_ln.c
+++ b/target_firmware/wlan/ratectrl_11n_ln.c
@@ -369,7 +369,7 @@ rcSibUpdate_ht(struct ath_softc_tgt *sc, struct ath_node_target *an,
 	rcInitValidTxMask(pRc);
 
 	for (i = 0; i < WLAN_RC_PHY_MAX; i++) {
-		for (j = 0; j < MAX_TX_RATE_PHY; j++) {
+		for (j = 0; j < MAX_TX_RATE_TBL; j++) {
 			mPhyCtrlState.validPhyRateIndex[i][j] = 0;
 		}   
 		mPhyCtrlState.validPhyRateCount[i] = 0;