[PATCH] staging: rtl8192e: Fix array overrun
Jonas Gorski
jonas.gorski at gmail.com
Fri Aug 26 21:00:47 UTC 2011
Hi,
> On 26 August 2011 22:33, Larry Finger <Larry.Finger at lwfinger.net> wrote:
> Smatch outputs the following message:
>
> drivers/staging/rtl8192e/r8192E_cmdpkt.c +412 cmpk_message_handle_rx(70)
> error: buffer overflow 'priv->stats.rxcmdpkt' 4 <= 7
>
> 407 RT_TRACE(COMP_CMDPKT, "---->cmpk_message_handle_rx():"
> 408 "unknow CMD Element\n");
> 409 return 1;
> 410 }
> 411
> 412 priv->stats.rxcmdpkt[element_id]++;
> ^^^^^^^^^^
> ->stats.rxcmdpkt[] only has 4 elements, but from the switch statement
> in the section before we can see that element_id can go up to 7
> (RX_TX_RATE_HISTORY).
>
> Reported-by: Dan Carpenter <error27 at gmail.com>
> Signed-off-by: Larry Finger <Larry.Finger at lwfinger.net>
> ---
> drivers/staging/rtl8192e/rtl_core.h | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/staging/rtl8192e/rtl_core.h b/drivers/staging/rtl8192e/rtl_core.h
> index 5b78530..78ae738 100644
> --- a/drivers/staging/rtl8192e/rtl_core.h
> +++ b/drivers/staging/rtl8192e/rtl_core.h
> @@ -388,7 +388,7 @@ struct rt_stats {
> unsigned long rxrdu;
> unsigned long rxok;
> unsigned long rxframgment;
> - unsigned long rxcmdpkt[4];
> + unsigned long rxcmdpkt[7];
Doesn't it need to be sized 8 if 7 is the highest element_id?
Regards,
Jonas
More information about the devel
mailing list