Prevent memory corruption in ath9k rate control algorithm

From: Pavel Roskin <proski@gnu.org>

Check final_rate in ath_debug_stat_rc().  Don't return negative values
from ath_rc_get_rateindex(), callers don't expect it.

Signed-off-by: Pavel Roskin <proski@gnu.org>
---

 drivers/net/wireless/ath/ath9k/rc.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)


diff --git a/drivers/net/wireless/ath/ath9k/rc.c b/drivers/net/wireless/ath/ath9k/rc.c
index 635b592..afe22f4 100644
--- a/drivers/net/wireless/ath/ath9k/rc.c
+++ b/drivers/net/wireless/ath/ath9k/rc.c
@@ -385,6 +385,11 @@ static int ath_rc_get_rateindex(const struct ath_rate_table *rate_table,
 	int rix = 0, i = 0;
 	static const int mcs_rix_off[] = { 7, 15, 20, 21, 22, 23 };
 
+	if (rate->idx < 0) {
+		printk(KERN_ERR "%s: rate->idx = %d\n", __func__, rate->idx);
+		return 0;
+	}
+
 	if (!(rate->flags & IEEE80211_TX_RC_MCS))
 		return rate->idx;
 
@@ -1324,6 +1329,11 @@ static void ath_debug_stat_rc(struct ath_rate_priv *rc, int final_rate)
 {
 	struct ath_rc_stats *stats;
 
+	if (final_rate < 0 || final_rate >= RATE_TABLE_SIZE) {
+		printk(KERN_ERR "%s: invalid final_rate: %d\n", __func__,
+		       final_rate);
+		return;
+	}
 	stats = &rc->rcstats[final_rate];
 	stats->success++;
 }