[PATCH] staging: rtl8192e: Fix array overrun

Fri Aug 26 21:00:47 UTC 2011

Hi,

> On 26 August 2011 22:33, Larry Finger <Larry.Finger at lwfinger.net> wrote:
> Smatch outputs the following message:
>
> drivers/staging/rtl8192e/r8192E_cmdpkt.c +412 cmpk_message_handle_rx(70)
>        error: buffer overflow 'priv->stats.rxcmdpkt' 4 <= 7
>
>   407                          RT_TRACE(COMP_CMDPKT, "---->cmpk_message_handle_rx():"
>   408                                   "unknow CMD Element\n");
>   409                          return 1;
>   410                  }
>   411
>   412                  priv->stats.rxcmdpkt[element_id]++;
>                                             ^^^^^^^^^^
> ->stats.rxcmdpkt[] only has 4 elements, but from the switch statement
> in the section before we can see that element_id can go up to 7
> (RX_TX_RATE_HISTORY).
>
> Reported-by: Dan Carpenter <error27 at gmail.com>
> Signed-off-by: Larry Finger <Larry.Finger at lwfinger.net>
> ---
>  drivers/staging/rtl8192e/rtl_core.h |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/staging/rtl8192e/rtl_core.h b/drivers/staging/rtl8192e/rtl_core.h
> index 5b78530..78ae738 100644
> --- a/drivers/staging/rtl8192e/rtl_core.h
> +++ b/drivers/staging/rtl8192e/rtl_core.h
> @@ -388,7 +388,7 @@ struct rt_stats {
>        unsigned long rxrdu;
>        unsigned long rxok;
>        unsigned long rxframgment;
> -       unsigned long rxcmdpkt[4];
> +       unsigned long rxcmdpkt[7];

Doesn't it need to be sized 8 if 7 is the highest element_id?

Regards,
Jonas