Smatch outputs the following message:
drivers/staging/rtl8192e/r8192E_cmdpkt.c +412 cmpk_message_handle_rx(70)
error: buffer overflow 'priv->stats.rxcmdpkt' 4 <= 7
407 RT_TRACE(COMP_CMDPKT,
"---->cmpk_message_handle_rx():"
408 "unknow CMD Element\n");
409 return 1;
410 }
411
412 priv->stats.rxcmdpkt[element_id]++;
^^^^^^^^^^
->stats.rxcmdpkt[] only has 4 elements, but from the switch statement
in the section before we can see that element_id can go up to 7
(RX_TX_RATE_HISTORY).
Reported-by: Dan Carpenter <erro...@gmail.com>
Signed-off-by: Larry Finger <larry.fin...@lwfinger.net>
---
Greg,
V2 Change from dimension of 7 to 8
This patch can be pulled from
git://git.kernel.org/pub/scm/linux/kernel/git/lwfinger/r8192E.git
Larry
drivers/staging/rtl8192e/rtl_core.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/staging/rtl8192e/rtl_core.h
b/drivers/staging/rtl8192e/rtl_core.h
index 5b78530..78ae738 100644
--- a/drivers/staging/rtl8192e/rtl_core.h
+++ b/drivers/staging/rtl8192e/rtl_core.h
@@ -388,7 +388,7 @@ struct rt_stats {
unsigned long rxrdu;
unsigned long rxok;
unsigned long rxframgment;
- unsigned long rxcmdpkt[4];
+ unsigned long rxcmdpkt[8];
unsigned long rxurberr;
unsigned long rxstaterr;
unsigned long rxdatacrcerr;
--
1.7.3.4
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
