[bug report] staging: vt6655: bounds checking

Dan Carpenter error27 at gmail.com
Fri Feb 12 12:04:36 UTC 2010


There are a couple buffer overflows in drivers/staging/vt6655/card.c

drivers/staging/vt6655/card.c +1590 CARDbAdd_PMKID_Candidate(38) warn: buffer overflow 'pDevice->gsPMKIDCandidate.CandidateLidateList' 5 <= 5

There is a range checking stub on line 1565 but it doesn't do anything.

drivers/staging/vt6655/card.c CARDbAdd_PMKID_Candidate()
  1565      if (pDevice->gsPMKIDCandidate.NumCandidates >= MAX_PMKIDLIST) {
  1566          DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO"vFlush_PMKID_Candidate: 3\n");
  1567          memset(&pDevice->gsPMKIDCandidate, 0, sizeof(SPMKIDCandidateEvent));
  1568      }

drivers/staging/vt6655/card.c +1682 CARDvInitChannelTable(68) error: buffer overflow 'ChannelRuleTab' 119 <= 119 
drivers/staging/vt6655/card.c +1682 CARDvInitChannelTable(68) error: buffer overflow 'ChannelRuleTab' 119 <= 119 

I don't know the proper fix for these.

regards,
dan carpenter



More information about the devel mailing list