[PATCH] ipw2200: fix error log offset calculation

This fixes a slab corruption issue in the ipw2200 driver: it essentially
multiplied the error log number _twice_ by the size of the error element
entry (once explicitly in the code, and once implicitly as part of the
regular pointer arithmetic).

Cc: Henrik Brix Andersen <brix@gentoo.org>
Cc: Bernard Blackham <bernard@blackham.com.au>
Cc: Zilvinas Valinskas <zilvinas@gemtek.lt>
Cc: Pekka Enberg <penberg@cs.helsinki.fi>
Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
--
This commit is contained in:
Zhu Yi 2005-11-17 13:58:30 +08:00 committed by Linus Torvalds
parent efb3442cf1
commit 3b26b1100e

View File

@ -1110,8 +1110,7 @@ static struct ipw_fw_error *ipw_alloc_error_log(struct ipw_priv *priv)
error->elem_len = elem_len;
error->log_len = log_len;
error->elem = (struct ipw_error_elem *)error->payload;
error->log = (struct ipw_event *)(error->elem +
(sizeof(*error->elem) * elem_len));
error->log = (struct ipw_event *)(error->elem + elem_len);
ipw_capture_event_log(priv, log_len, error->log);