staging: r8712u: Fix possible out-of-bounds index with TKIP and AES keys

Array XGrpKey has only 2 elements and uses (keyid - 1) as the index, which
allows the possibility of memory corruption from an out-of-bounds index.

This problem was reported by a new version of smatch.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/staging/rtl8712/rtl871x_mlme.c b/drivers/staging/rtl8712/rtl871x_mlme.c
index c475b961308e297565894b513d8ab70e00bbf203..ef8eb6c7ee419109ccd2d4cbc244520c1e2d1e50 100644 (file)
--- a/drivers/staging/rtl8712/rtl871x_mlme.c
+++ b/drivers/staging/rtl8712/rtl871x_mlme.c
@@ -1281,12 +1281,16 @@ sint r8712_set_key(struct _adapter *adapter,
                        psecuritypriv->DefKey[keyid].skey, keylen);
                break;
        case _TKIP_:
+               if (keyid < 1 || keyid > 2)
+                       return _FAIL;
                keylen = 16;
                memcpy(psetkeyparm->key,
                        &psecuritypriv->XGrpKey[keyid - 1], keylen);
                psetkeyparm->grpkey = 1;
                break;
        case _AES_:
+               if (keyid < 1 || keyid > 2)
+                       return _FAIL;
                keylen = 16;
                memcpy(psetkeyparm->key,
                        &psecuritypriv->XGrpKey[keyid - 1], keylen);