Commit a619d1abe20c leads to the following static checker warning:
drivers/net/wireless/rtlwifi/rtl8723be/phy.c:667 _rtl8723be_store_tx_power_by_rate()
error: buffer overflow 'rtlphy->tx_power_by_rate_offset[band]' 4 <= 5
This warning arises because the code is testing the indices for the wrong maximum
values. In addition, the tests merely putput a warning, and then procedes to
corrupt memory. With this change, any such invalid memory access is avoided.
Signed-off-by: Larry Finger <[email protected]>
Reported-by: Dan Carpenter <[email protected]>
---
drivers/net/wireless/rtlwifi/rtl8723be/phy.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/rtlwifi/rtl8723be/phy.c b/drivers/net/wireless/rtlwifi/rtl8723be/phy.c
index cadae9b..1575ef9 100644
--- a/drivers/net/wireless/rtlwifi/rtl8723be/phy.c
+++ b/drivers/net/wireless/rtlwifi/rtl8723be/phy.c
@@ -629,18 +629,22 @@ static void _rtl8723be_store_tx_power_by_rate(struct ieee80211_hw *hw,
struct rtl_phy *rtlphy = &(rtlpriv->phy);
u8 rate_section = _rtl8723be_get_rate_section_index(regaddr);
- if (band != BAND_ON_2_4G && band != BAND_ON_5G)
+ if (band != BAND_ON_2_4G && band != BAND_ON_5G) {
RT_TRACE(rtlpriv, COMP_POWER, PHY_TXPWR,
"Invalid Band %d\n", band);
+ return;
+ }
- if (rfpath > MAX_RF_PATH)
+ if (rfpath > TX_PWR_BY_RATE_NUM_RF) {
RT_TRACE(rtlpriv, COMP_POWER, PHY_TXPWR,
"Invalid RfPath %d\n", rfpath);
-
- if (txnum > MAX_RF_PATH)
+ return;
+ }
+ if (txnum > TX_PWR_BY_RATE_NUM_RF) {
RT_TRACE(rtlpriv, COMP_POWER, PHY_TXPWR,
"Invalid TxNum %d\n", txnum);
-
+ return;
+ }
rtlphy->tx_power_by_rate_offset[band][rfpath][txnum][rate_section] =
data;
}
--
1.8.4.5