From: Larry Finger Date: Mon, 10 Mar 2014 23:53:10 +0000 (-0500) Subject: rtlwifi: rtl8723be: Fix array dimension problems X-Git-Tag: accepted/tizen/common/20141203.182822~316^2~18^2^2~135 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=4e3b3bcd81776527fa6f11624d68849de8c8802e;p=platform%2Fkernel%2Flinux-arm64.git rtlwifi: rtl8723be: Fix array dimension problems Commit a619d1abe20c leads to the following static checker warning: drivers/net/wireless/rtlwifi/rtl8723be/phy.c:667 _rtl8723be_store_tx_power_by_rate() error: buffer overflow 'rtlphy->tx_power_by_rate_offset[band]' 4 <= 5 This warning arises because the code is testing the indices for the wrong maximum values. In addition, the tests merely putput a warning, and then procedes to corrupt memory. With this change, any such invalid memory access is avoided. Signed-off-by: Larry Finger Reported-by: Dan Carpenter Signed-off-by: John W. Linville --- diff --git a/drivers/net/wireless/rtlwifi/rtl8723be/phy.c b/drivers/net/wireless/rtlwifi/rtl8723be/phy.c index cadae9b..1575ef9 100644 --- a/drivers/net/wireless/rtlwifi/rtl8723be/phy.c +++ b/drivers/net/wireless/rtlwifi/rtl8723be/phy.c @@ -629,18 +629,22 @@ static void _rtl8723be_store_tx_power_by_rate(struct ieee80211_hw *hw, struct rtl_phy *rtlphy = &(rtlpriv->phy); u8 rate_section = _rtl8723be_get_rate_section_index(regaddr); - if (band != BAND_ON_2_4G && band != BAND_ON_5G) + if (band != BAND_ON_2_4G && band != BAND_ON_5G) { RT_TRACE(rtlpriv, COMP_POWER, PHY_TXPWR, "Invalid Band %d\n", band); + return; + } - if (rfpath > MAX_RF_PATH) + if (rfpath > TX_PWR_BY_RATE_NUM_RF) { RT_TRACE(rtlpriv, COMP_POWER, PHY_TXPWR, "Invalid RfPath %d\n", rfpath); - - if (txnum > MAX_RF_PATH) + return; + } + if (txnum > TX_PWR_BY_RATE_NUM_RF) { RT_TRACE(rtlpriv, COMP_POWER, PHY_TXPWR, "Invalid TxNum %d\n", txnum); - + return; + } rtlphy->tx_power_by_rate_offset[band][rfpath][txnum][rate_section] = data; }