Hi Larry,
My testing version of Smatch has a new warning, and I was wondering
if you could take a look:
drivers/staging/rtl8712/rtl871x_mlme.c +1286 r8712_set_key(41)
warn: buffer overflow 'psecuritypriv->XGrpKey' 2 <= 2
drivers/staging/rtl8712/rtl871x_mlme.c
1283 case _TKIP_:
1284 keylen = 16;
1285 memcpy(psetkeyparm->key,
1286 &psecuritypriv->XGrpKey[keyid - 1], keylen);
^^^^^^^^^^^^^^^^^^^
->XGrpKey[] has two elements.
keyid comes from user calling the ioctl. It's capped between 0 and
3 by the callers. So either -1 or or 2 would be outside of the array.
1287 psetkeyparm->grpkey = 1;
1288 break;
1289 case _AES_:
1290 keylen = 16;
1291 memcpy(psetkeyparm->key,
1292 &psecuritypriv->XGrpKey[keyid - 1], keylen);
^^^^^^^^^^^^^^^^^^^^
Same thing.
1293 psetkeyparm->grpkey = 1;
1294 break;
I don't know the code so well so maybe I've misunderstood how this
works.
regards,
dan carpenter
_______________________________________________
devel mailing list
[email protected]
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
