From a504de3a1e201994eff1400d4eb16241be68c311 Mon Sep 17 00:00:00 2001
From: Larry Finger <Larry.Finger@lwfinger.net>
Date: Fri, 26 Aug 2011 16:46:28 -0500
Subject: [PATCH] staging: rtl8192e: Fix array overrun

Smatch outputs the following message:

drivers/staging/rtl8192e/r8192E_cmdpkt.c +412 cmpk_message_handle_rx(70)
	error: buffer overflow 'priv->stats.rxcmdpkt' 4 <= 7

   407                          RT_TRACE(COMP_CMDPKT, "---->cmpk_message_handle_rx():"
   408                                   "unknow CMD Element\n");
   409                          return 1;
   410                  }
   411
   412                  priv->stats.rxcmdpkt[element_id]++;
                                             ^^^^^^^^^^
->stats.rxcmdpkt[] only has 4 elements, but from the switch statement
in the section before we can see that element_id can go up to 7
(RX_TX_RATE_HISTORY).

Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 drivers/staging/rtl8192e/rtl_core.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8192e/rtl_core.h b/drivers/staging/rtl8192e/rtl_core.h
index 5b78530bf220..f9af5153d9cf 100644
--- a/drivers/staging/rtl8192e/rtl_core.h
+++ b/drivers/staging/rtl8192e/rtl_core.h
@@ -388,7 +388,7 @@ struct rt_stats {
 	unsigned long rxrdu;
 	unsigned long rxok;
 	unsigned long rxframgment;
-	unsigned long rxcmdpkt[4];
+	unsigned long rxcmdpkt[8];
 	unsigned long rxurberr;
 	unsigned long rxstaterr;
 	unsigned long rxdatacrcerr;
-- 
2.20.1