From a504de3a1e201994eff1400d4eb16241be68c311 Mon Sep 17 00:00:00 2001 From: Larry Finger <Larry.Finger@lwfinger.net> Date: Fri, 26 Aug 2011 16:46:28 -0500 Subject: [PATCH] staging: rtl8192e: Fix array overrun Smatch outputs the following message: drivers/staging/rtl8192e/r8192E_cmdpkt.c +412 cmpk_message_handle_rx(70) error: buffer overflow 'priv->stats.rxcmdpkt' 4 <= 7 407 RT_TRACE(COMP_CMDPKT, "---->cmpk_message_handle_rx():" 408 "unknow CMD Element\n"); 409 return 1; 410 } 411 412 priv->stats.rxcmdpkt[element_id]++; ^^^^^^^^^^ ->stats.rxcmdpkt[] only has 4 elements, but from the switch statement in the section before we can see that element_id can go up to 7 (RX_TX_RATE_HISTORY). Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- drivers/staging/rtl8192e/rtl_core.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/rtl8192e/rtl_core.h b/drivers/staging/rtl8192e/rtl_core.h index 5b78530bf220..f9af5153d9cf 100644 --- a/drivers/staging/rtl8192e/rtl_core.h +++ b/drivers/staging/rtl8192e/rtl_core.h @@ -388,7 +388,7 @@ struct rt_stats { unsigned long rxrdu; unsigned long rxok; unsigned long rxframgment; - unsigned long rxcmdpkt[4]; + unsigned long rxcmdpkt[8]; unsigned long rxurberr; unsigned long rxstaterr; unsigned long rxdatacrcerr; -- 2.20.1