brcmfmac: fix end of loop check (signedness bug)

The problem here is that we loop until "remained_buf_len" is less than zero, but since it is unsigned, it never is. "remained_buf_len" has to be large enough to hold the value from "mgmt_ie_buf_len". That variable is type u32, but it only holds small values so I have changed to both variables to int. Also I removed the bogus initialization from "mgmt_ie_buf_len" so that GCC can detect if it is used unitialized. I moved the declaration of "remained_buf_len" closer to where it is used so it's easier to read. Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com> Reviewed-by: Hante Meuleman <meuleman@broadcom.com> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Franky Lin <frankyl@broadcom.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
author: Dan Carpenter <dan.carpenter@oracle.com> 2012-10-10 14:13:12 -0400
committer: John W. Linville <linville@tuxdriver.com> 2012-10-15 14:45:34 -0400
commit: 3e4f319dacc60c1b4537b85329d393ad18bf7501 (patch)
tree: 20f78805a34fe1a524127c6da84954c5f2a09dfd
parent: 5dd161ff7b46029c9da4f4ef8b214b8ba4316445 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
index 2c66bae77b37..411dfe7c7ff0 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
@@ -3972,7 +3972,7 @@ brcmf_set_management_ie(struct brcmf_cfg80211_info *cfg,
        u8  *iovar_ie_buf;
        u8  *curr_ie_buf;
        u8  *mgmt_ie_buf = NULL;
-        u32 mgmt_ie_buf_len = 0;
+        int mgmt_ie_buf_len;
        u32 *mgmt_ie_len = 0;
        u32 del_add_ie_buf_len = 0;
        u32 total_ie_buf_len = 0;
@@ -3982,7 +3982,7 @@ brcmf_set_management_ie(struct brcmf_cfg80211_info *cfg,
        struct parsed_vndr_ie_info *vndrie_info;
        s32 i;
        u8 *ptr;
-        u32 remained_buf_len;
+        int remained_buf_len;
        WL_TRACE("bssidx %d, pktflag : 0x%02X\n", bssidx, pktflag);
        iovar_ie_buf = kzalloc(WL_EXTRA_BUF_MAX, GFP_KERNEL);
author	Dan Carpenter <dan.carpenter@oracle.com>	2012-10-10 14:13:12 -0400
committer	John W. Linville <linville@tuxdriver.com>	2012-10-15 14:45:34 -0400
commit	3e4f319dacc60c1b4537b85329d393ad18bf7501 (patch)
tree	20f78805a34fe1a524127c6da84954c5f2a09dfd
parent	5dd161ff7b46029c9da4f4ef8b214b8ba4316445 (diff)

diff --git a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c index 2c66bae77b37..411dfe7c7ff0 100644 --- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c +++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
@@ -3972,7 +3972,7 @@ brcmf_set_management_ie(struct brcmf_cfg80211_info *cfg,
3972	u8 *iovar_ie_buf;	3972	u8 *iovar_ie_buf;
3973	u8 *curr_ie_buf;	3973	u8 *curr_ie_buf;
3974	u8 *mgmt_ie_buf = NULL;	3974	u8 *mgmt_ie_buf = NULL;
3975	u32 mgmt_ie_buf_len = 0;	3975	int mgmt_ie_buf_len;
3976	u32 *mgmt_ie_len = 0;	3976	u32 *mgmt_ie_len = 0;
3977	u32 del_add_ie_buf_len = 0;	3977	u32 del_add_ie_buf_len = 0;
3978	u32 total_ie_buf_len = 0;	3978	u32 total_ie_buf_len = 0;
@@ -3982,7 +3982,7 @@ brcmf_set_management_ie(struct brcmf_cfg80211_info *cfg,
3982	struct parsed_vndr_ie_info *vndrie_info;	3982	struct parsed_vndr_ie_info *vndrie_info;
3983	s32 i;	3983	s32 i;
3984	u8 *ptr;	3984	u8 *ptr;
3985	u32 remained_buf_len;	3985	int remained_buf_len;
3986		3986
3987	WL_TRACE("bssidx %d, pktflag : 0x%02X\n", bssidx, pktflag);	3987	WL_TRACE("bssidx %d, pktflag : 0x%02X\n", bssidx, pktflag);
3988	iovar_ie_buf = kzalloc(WL_EXTRA_BUF_MAX, GFP_KERNEL);	3988	iovar_ie_buf = kzalloc(WL_EXTRA_BUF_MAX, GFP_KERNEL);