From: Zhu Yi Date: Thu, 17 Nov 2005 05:58:30 +0000 (+0800) Subject: [PATCH] ipw2200: fix error log offset calculation X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=3b26b1100e26811e54770abaa221eae140ba840d;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git [PATCH] ipw2200: fix error log offset calculation This fixes a slab corruption issue in the ipw2200 driver: it essentially multiplied the error log number _twice_ by the size of the error element entry (once explicitly in the code, and once implicitly as part of the regular pointer arithmetic). Cc: Henrik Brix Andersen Cc: Bernard Blackham Cc: Zilvinas Valinskas Cc: Pekka Enberg Signed-off-by: Zhu Yi Signed-off-by: Linus Torvalds -- --- diff --git a/drivers/net/wireless/ipw2200.c b/drivers/net/wireless/ipw2200.c index 374b682e4d6a..5e7c7e944c9d 100644 --- a/drivers/net/wireless/ipw2200.c +++ b/drivers/net/wireless/ipw2200.c @@ -1110,8 +1110,7 @@ static struct ipw_fw_error *ipw_alloc_error_log(struct ipw_priv *priv) error->elem_len = elem_len; error->log_len = log_len; error->elem = (struct ipw_error_elem *)error->payload; - error->log = (struct ipw_event *)(error->elem + - (sizeof(*error->elem) * elem_len)); + error->log = (struct ipw_event *)(error->elem + elem_len); ipw_capture_event_log(priv, log_len, error->log);