From patchwork Mon Mar 10 23:53:10 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Larry Finger X-Patchwork-Id: 3808281 Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 3448EBF540 for ; Mon, 10 Mar 2014 23:53:52 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id AD7F120221 for ; Mon, 10 Mar 2014 23:53:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 7FF46201BC for ; Mon, 10 Mar 2014 23:53:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752725AbaCJXxS (ORCPT ); Mon, 10 Mar 2014 19:53:18 -0400 Received: from mail-ob0-f173.google.com ([209.85.214.173]:53083 "EHLO mail-ob0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752311AbaCJXxR (ORCPT ); Mon, 10 Mar 2014 19:53:17 -0400 Received: by mail-ob0-f173.google.com with SMTP id gq1so7703568obb.18 for ; Mon, 10 Mar 2014 16:53:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:cc:subject:date:message-id; bh=X3hCaWiby8NHwObuJsNXjRsQh2SWpatelayomqkAHPU=; b=WcEr2ZjMVeDVqeqwMQc/JPM7rbYOIvDSQotRJxhiFyoypG566WPL214zivTPxkA8gU ewCuRRSzf/+NpLWmKL6ASph08v8WMHIBLUiyz/GT1LQRiIW6aTd9sQaAsfzXrImjNwX7 evJw0n9IBPzCz7kZON4EJRzGDpRH47agXLrezIeIG99AW7dVWm1W5fadIXnKGMyA3ugv nOvlGZydxI0TeZ0DZdeotzid57G6EQUAWG/8+h2tgFUZbQA+Sn+hn9fBOzxuGv9Dn/AX pGnR+fr5x/OcLsjfBaFOxzFxEa+54YdgC6bxlxMO6pPRFCxHsNSY0PLu5+abg8nT4Qi2 Eyvw== X-Received: by 10.182.43.161 with SMTP id x1mr30334110obl.5.1394495596824; Mon, 10 Mar 2014 16:53:16 -0700 (PDT) Received: from larrylap.site (cpe-75-81-36-251.kc.res.rr.com. [75.81.36.251]) by mx.google.com with ESMTPSA id o6sm116391093oel.4.2014.03.10.16.53.15 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Mar 2014 16:53:16 -0700 (PDT) From: Larry Finger To: linville@tuxdriver.com Cc: linux-wireless@vger.kernel.org, Larry Finger , netdev@vger.kernel.org Subject: [PATCH NEXT] rtlwifi: rtl8723be: Fix array dimension problems Date: Mon, 10 Mar 2014 18:53:10 -0500 Message-Id: <1394495590-2351-1-git-send-email-Larry.Finger@lwfinger.net> X-Mailer: git-send-email 1.8.4.5 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Commit a619d1abe20c leads to the following static checker warning: drivers/net/wireless/rtlwifi/rtl8723be/phy.c:667 _rtl8723be_store_tx_power_by_rate() error: buffer overflow 'rtlphy->tx_power_by_rate_offset[band]' 4 <= 5 This warning arises because the code is testing the indices for the wrong maximum values. In addition, the tests merely putput a warning, and then procedes to corrupt memory. With this change, any such invalid memory access is avoided. Signed-off-by: Larry Finger Reported-by: Dan Carpenter --- drivers/net/wireless/rtlwifi/rtl8723be/phy.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/rtlwifi/rtl8723be/phy.c b/drivers/net/wireless/rtlwifi/rtl8723be/phy.c index cadae9b..1575ef9 100644 --- a/drivers/net/wireless/rtlwifi/rtl8723be/phy.c +++ b/drivers/net/wireless/rtlwifi/rtl8723be/phy.c @@ -629,18 +629,22 @@ static void _rtl8723be_store_tx_power_by_rate(struct ieee80211_hw *hw, struct rtl_phy *rtlphy = &(rtlpriv->phy); u8 rate_section = _rtl8723be_get_rate_section_index(regaddr); - if (band != BAND_ON_2_4G && band != BAND_ON_5G) + if (band != BAND_ON_2_4G && band != BAND_ON_5G) { RT_TRACE(rtlpriv, COMP_POWER, PHY_TXPWR, "Invalid Band %d\n", band); + return; + } - if (rfpath > MAX_RF_PATH) + if (rfpath > TX_PWR_BY_RATE_NUM_RF) { RT_TRACE(rtlpriv, COMP_POWER, PHY_TXPWR, "Invalid RfPath %d\n", rfpath); - - if (txnum > MAX_RF_PATH) + return; + } + if (txnum > TX_PWR_BY_RATE_NUM_RF) { RT_TRACE(rtlpriv, COMP_POWER, PHY_TXPWR, "Invalid TxNum %d\n", txnum); - + return; + } rtlphy->tx_power_by_rate_offset[band][rfpath][txnum][rate_section] = data; }