From 198fc7c37f8c99de4119ed5c4d7190d6e17e7dac Mon Sep 17 00:00:00 2001
From: Hans Petter Selasky <hselasky@FreeBSD.org>
Date: Fri, 31 Jan 2014 22:42:26 +0000
Subject: [PATCH] Fix a range check for maximum transmit length. The existing
 code was off by 4 bytes in one case.

Approved by:	kevlo @
MFC after:	2 weeks
---
 sys/dev/usb/wlan/if_run.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/sys/dev/usb/wlan/if_run.c b/sys/dev/usb/wlan/if_run.c
index 1256342dc820..69a525c42fe6 100644
--- a/sys/dev/usb/wlan/if_run.c
+++ b/sys/dev/usb/wlan/if_run.c
@@ -3070,10 +3070,10 @@ run_bulk_tx_callbackN(struct usb_xfer *xfer, usb_error_t error, u_int index)
 		STAILQ_REMOVE_HEAD(&pq->tx_qh, next);
 
 		m = data->m;
-		size = (sc->mac_ver == 0x5592) ? 
-		    RUN_MAX_TXSZ + sizeof(uint32_t) : RUN_MAX_TXSZ;
+		size = (sc->mac_ver == 0x5592) ?
+		    sizeof(data->desc) + sizeof(uint32_t) : sizeof(data->desc);
 		if ((m->m_pkthdr.len +
-		    sizeof(data->desc) + 3 + 8) > size) {
+		    size + 3 + 8) > RUN_MAX_TXSZ) {
 			DPRINTF("data overflow, %u bytes\n",
 			    m->m_pkthdr.len);
 
@@ -3085,8 +3085,6 @@ run_bulk_tx_callbackN(struct usb_xfer *xfer, usb_error_t error, u_int index)
 		}
 
 		pc = usbd_xfer_get_frame(xfer, 0);
-		size = (sc->mac_ver == 0x5592) ?
-		    sizeof(data->desc) + sizeof(uint32_t) : sizeof(data->desc);
 		usbd_copy_in(pc, 0, &data->desc, size);
 		usbd_m_copy_in(pc, size, m, 0, m->m_pkthdr.len);
 		size += m->m_pkthdr.len;