diff options
author | Larry Finger <Larry.Finger@lwfinger.net> | 2011-08-26 16:46:28 -0500 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-08-29 10:58:00 -0700 |
commit | a504de3a1e201994eff1400d4eb16241be68c311 (patch) | |
tree | ceba53305a40ef7cf74c734de01d0b72fa147f9d | |
parent | 6eafa4604cfa109a89524d35d93df11c37bd66b0 (diff) | |
download | op-kernel-dev-a504de3a1e201994eff1400d4eb16241be68c311.zip op-kernel-dev-a504de3a1e201994eff1400d4eb16241be68c311.tar.gz |
staging: rtl8192e: Fix array overrun
Smatch outputs the following message:
drivers/staging/rtl8192e/r8192E_cmdpkt.c +412 cmpk_message_handle_rx(70)
error: buffer overflow 'priv->stats.rxcmdpkt' 4 <= 7
407 RT_TRACE(COMP_CMDPKT, "---->cmpk_message_handle_rx():"
408 "unknow CMD Element\n");
409 return 1;
410 }
411
412 priv->stats.rxcmdpkt[element_id]++;
^^^^^^^^^^
->stats.rxcmdpkt[] only has 4 elements, but from the switch statement
in the section before we can see that element_id can go up to 7
(RX_TX_RATE_HISTORY).
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | drivers/staging/rtl8192e/rtl_core.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/staging/rtl8192e/rtl_core.h b/drivers/staging/rtl8192e/rtl_core.h index 5b78530..f9af515 100644 --- a/drivers/staging/rtl8192e/rtl_core.h +++ b/drivers/staging/rtl8192e/rtl_core.h @@ -388,7 +388,7 @@ struct rt_stats { unsigned long rxrdu; unsigned long rxok; unsigned long rxframgment; - unsigned long rxcmdpkt[4]; + unsigned long rxcmdpkt[8]; unsigned long rxurberr; unsigned long rxstaterr; unsigned long rxdatacrcerr; |