commit 4e3b3bcd81776527fa6f11624d68849de8c8802e
author Larry Finger <Larry.Finger@lwfinger.net> Mon Mar 10 18:53:10 2014 -0500
committer John W. Linville <linville@tuxdriver.com> Thu Mar 13 14:05:40 2014 -0400
tree 3d63e3f9080c7c13abafbfbc0514278899fa02d3
parent 3ead0d2e220ea7ced14027336bb168bafa01b7af

rtlwifi: rtl8723be: Fix array dimension problems

Commit a619d1abe20c leads to the following static checker warning:

drivers/net/wireless/rtlwifi/rtl8723be/phy.c:667 _rtl8723be_store_tx_power_by_rate()
error: buffer overflow 'rtlphy->tx_power_by_rate_offset[band]' 4 <= 5

This warning arises because the code is testing the indices for the wrong maximum
values. In addition, the tests merely putput a warning, and then procedes to
corrupt memory. With this change, any such invalid memory access is avoided.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

drivers/net/wireless/rtlwifi/rtl8723be/phy.c

diff --git a/drivers/net/wireless/rtlwifi/rtl8723be/phy.c b/drivers/net/wireless/rtlwifi/rtl8723be/phy.c
index cadae9b..1575ef9 100644
--- a/drivers/net/wireless/rtlwifi/rtl8723be/phy.c
+++ b/drivers/net/wireless/rtlwifi/rtl8723be/phy.c
@@ -629,18 +629,22 @@
 	struct rtl_phy *rtlphy = &(rtlpriv->phy);
 	u8 rate_section = _rtl8723be_get_rate_section_index(regaddr);
 
-	if (band != BAND_ON_2_4G && band != BAND_ON_5G)
+	if (band != BAND_ON_2_4G && band != BAND_ON_5G) {
 		RT_TRACE(rtlpriv, COMP_POWER, PHY_TXPWR,
 			 "Invalid Band %d\n", band);
+		return;
+	}
 
-	if (rfpath > MAX_RF_PATH)
+	if (rfpath > TX_PWR_BY_RATE_NUM_RF) {
 		RT_TRACE(rtlpriv, COMP_POWER, PHY_TXPWR,
 			 "Invalid RfPath %d\n", rfpath);
-
-	if (txnum > MAX_RF_PATH)
+		return;
+	}
+	if (txnum > TX_PWR_BY_RATE_NUM_RF) {
 		RT_TRACE(rtlpriv, COMP_POWER, PHY_TXPWR,
 			 "Invalid TxNum %d\n", txnum);
-
+		return;
+	}
 	rtlphy->tx_power_by_rate_offset[band][rfpath][txnum][rate_section] =
 									data;
 }