From: Larry Finger <Larry.Finger@lwfinger.net>
Date: Fri, 26 Aug 2011 21:46:28 +0000 (-0500)
Subject: staging: rtl8192e: Fix array overrun
X-Git-Tag: v3.2-rc1~169^2^2~863
X-Git-Url: https://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a504de3a1e201994eff1400d4eb16241be68c311;p=pandora-kernel.git

staging: rtl8192e: Fix array overrun

Smatch outputs the following message:

drivers/staging/rtl8192e/r8192E_cmdpkt.c +412 cmpk_message_handle_rx(70)
	error: buffer overflow 'priv->stats.rxcmdpkt' 4 <= 7

   407                          RT_TRACE(COMP_CMDPKT, "---->cmpk_message_handle_rx():"
   408                                   "unknow CMD Element\n");
   409                          return 1;
   410                  }
   411
   412                  priv->stats.rxcmdpkt[element_id]++;
                                             ^^^^^^^^^^
->stats.rxcmdpkt[] only has 4 elements, but from the switch statement
in the section before we can see that element_id can go up to 7
(RX_TX_RATE_HISTORY).

Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/drivers/staging/rtl8192e/rtl_core.h b/drivers/staging/rtl8192e/rtl_core.h
index 5b78530bf220..f9af5153d9cf 100644
--- a/drivers/staging/rtl8192e/rtl_core.h
+++ b/drivers/staging/rtl8192e/rtl_core.h
@@ -388,7 +388,7 @@ struct rt_stats {
 	unsigned long rxrdu;
 	unsigned long rxok;
 	unsigned long rxframgment;
-	unsigned long rxcmdpkt[4];
+	unsigned long rxcmdpkt[8];
 	unsigned long rxurberr;
 	unsigned long rxstaterr;
 	unsigned long rxdatacrcerr;