staging: rtl8192e: Fix array overrun
Smatch outputs the following message:
drivers/staging/rtl8192e/r8192E_cmdpkt.c +412 cmpk_message_handle_rx(70)
error: buffer overflow 'priv->stats.rxcmdpkt' 4 <= 7
407 RT_TRACE(COMP_CMDPKT, "---->cmpk_message_handle_rx():"
408 "unknow CMD Element\n");
409 return 1;
410 }
411
412 priv->stats.rxcmdpkt[element_id]++;
^^^^^^^^^^
->stats.rxcmdpkt[] only has 4 elements, but from the switch statement
in the section before we can see that element_id can go up to 7
(RX_TX_RATE_HISTORY).
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
diff --git a/drivers/staging/rtl8192e/rtl_core.h b/drivers/staging/rtl8192e/rtl_core.h
index 5b78530..f9af515 100644
--- a/drivers/staging/rtl8192e/rtl_core.h
+++ b/drivers/staging/rtl8192e/rtl_core.h
@@ -388,7 +388,7 @@
unsigned long rxrdu;
unsigned long rxok;
unsigned long rxframgment;
- unsigned long rxcmdpkt[4];
+ unsigned long rxcmdpkt[8];
unsigned long rxurberr;
unsigned long rxstaterr;
unsigned long rxdatacrcerr;