Commit a504de3a authored by Larry Finger's avatar Larry Finger Committed by Greg Kroah-Hartman

staging: rtl8192e: Fix array overrun

Smatch outputs the following message:

drivers/staging/rtl8192e/r8192E_cmdpkt.c +412 cmpk_message_handle_rx(70)
	error: buffer overflow 'priv->stats.rxcmdpkt' 4 <= 7

   407                          RT_TRACE(COMP_CMDPKT, "---->cmpk_message_handle_rx():"
   408                                   "unknow CMD Element\n");
   409                          return 1;
   410                  }
   411
   412                  priv->stats.rxcmdpkt[element_id]++;
                                             ^^^^^^^^^^
->stats.rxcmdpkt[] only has 4 elements, but from the switch statement
in the section before we can see that element_id can go up to 7
(RX_TX_RATE_HISTORY).
Reported-by: default avatarDan Carpenter <error27@gmail.com>
Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 6eafa460
...@@ -388,7 +388,7 @@ struct rt_stats { ...@@ -388,7 +388,7 @@ struct rt_stats {
unsigned long rxrdu; unsigned long rxrdu;
unsigned long rxok; unsigned long rxok;
unsigned long rxframgment; unsigned long rxframgment;
unsigned long rxcmdpkt[4]; unsigned long rxcmdpkt[8];
unsigned long rxurberr; unsigned long rxurberr;
unsigned long rxstaterr; unsigned long rxstaterr;
unsigned long rxdatacrcerr; unsigned long rxdatacrcerr;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment