Commit 92c1ff1f authored Jan 12, 2012 by Dan Carpenter Committed by John W. Linville Jan 13, 2012

ipw2x00: signedness bug handling frame length



This is basically just a cleanup.  Large positive numbers get counted as
negative but then get implicitly cast to positive again for the checks
that matter.

This does make a small difference in ipw_handle_promiscuous_rx() when we
test "if (unlikely((len + IPW_RX_FRAME_SIZE) > skb_tailroom(rxb->skb)))"
It should return there, but we don't return until a couple lines later
when we test "if (len > IPW_RX_BUF_SIZE - sizeof(struct ipw_rt_hdr)) {".
The difference is that in the second test the sizeof() means that there
is an implied cast to unsigned.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

parent ccde8a45

drivers/net/wireless/ipw2x00/ipw2200.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -7848,7 +7848,7 @@ static void ipw_handle_data_packet_monitor(struct ipw_priv *priv,
		* more efficiently than we can parse it. ORDER MATTERS HERE */
		struct ipw_rt_hdr *ipw_rt;

		short len = le16_to_cpu(pkt->u.frame.length);
		unsigned short len = le16_to_cpu(pkt->u.frame.length);

		/* We received data from the HW, so stop the watchdog */
		dev->trans_start = jiffies;
		@@ -8023,7 +8023,7 @@ static void ipw_handle_promiscuous_rx(struct ipw_priv *priv,
		s8 signal = frame->rssi_dbm - IPW_RSSI_TO_DBM;
		s8 noise = (s8) le16_to_cpu(frame->noise);
		u8 rate = frame->rate;
		short len = le16_to_cpu(pkt->u.frame.length);
		unsigned short len = le16_to_cpu(pkt->u.frame.length);
		struct sk_buff *skb;
		int hdr_only = 0;
		u16 filter = priv->prom_priv->filter;