This fixes an off-by-one error in the
"if (idx > howmany(IWM_NUM_UCODE_TLV_CAPA, 32))" range check.
Since IWM_NUM_UCODE_TLV_CAPA is defined as 128, for an idx value of 4,
we would potentially try to set bits 159..128 in the sc->sc_enabled_capa
bitmap (which is just IWM_NUM_UCODE_TLV_CAPA bits long).
Index: sys/dev/pci/if_iwm.c
===================================================================
RCS file: /cvs/src/sys/dev/pci/if_iwm.c,v
retrieving revision 1.99
diff -u -r1.99 if_iwm.c
--- sys/dev/pci/if_iwm.c 17 Aug 2016 09:39:38 -0000 1.99
+++ sys/dev/pci/if_iwm.c 31 Aug 2016 19:41:12 -0000
@@ -758,7 +758,7 @@
}
capa = (struct iwm_ucode_capa *)tlv_data;
idx = le32toh(capa->api_index);
- if (idx > howmany(IWM_NUM_UCODE_TLV_CAPA, 32)) {
+ if (idx >= howmany(IWM_NUM_UCODE_TLV_CAPA, 32)) {
DPRINTF(("%s: unsupported API index %d\n",
DEVNAME(sc), idx));
goto parse_out;
