From: Larry Finger <Larry.Finger@lwfinger.net>
Date: Wed, 4 Sep 2013 20:55:58 +0000 (-0500)
Subject: staging: r8188eu: Fix some smatch errors in core/rtw_efuse.c
X-Git-Tag: firefly_0821_release~176^2~5057^2~720
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=e255b0c6f745eac61a7971ff6f0f4f6bf9039374;p=firefly-linux-kernel-4.4.55.git

staging: r8188eu: Fix some smatch errors in core/rtw_efuse.c

Smatch reports the following situations:

drivers/staging/rtl8188eu/core/rtw_efuse.c:589 rtw_efuse_map_write() error: buffer overflow 'newdata' 8 <= 8
drivers/staging/rtl8188eu/core/rtw_efuse.c:598 rtw_efuse_map_write() error: buffer overflow 'newdata' 8 <= 8
drivers/staging/rtl8188eu/core/rtw_efuse.c:681 rtw_BT_efuse_map_write() error: buffer overflow 'newdata' 8 <= 8
drivers/staging/rtl8188eu/core/rtw_efuse.c:690 rtw_BT_efuse_map_write() error: buffer overflow 'newdata' 8 <= 8

In these cases, it is possible to write beyond the end of an array.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/staging/rtl8188eu/core/rtw_efuse.c b/drivers/staging/rtl8188eu/core/rtw_efuse.c
index 869434c4cf69..ad1c174cd7ee 100644
--- a/drivers/staging/rtl8188eu/core/rtw_efuse.c
+++ b/drivers/staging/rtl8188eu/core/rtw_efuse.c
@@ -542,7 +542,7 @@ u8 rtw_efuse_map_write(struct adapter *padapter, u16 addr, u16 cnts, u8 *data)
 {
 	u8 offset, word_en;
 	u8 *map;
-	u8 newdata[PGPKT_DATA_SIZE];
+	u8 newdata[PGPKT_DATA_SIZE + 1];
 	s32	i, idx;
 	u8 ret = _SUCCESS;
 	u16 mapLen = 0;
@@ -564,7 +564,7 @@ u8 rtw_efuse_map_write(struct adapter *padapter, u16 addr, u16 cnts, u8 *data)
 
 	offset = (addr >> 3);
 	word_en = 0xF;
-	_rtw_memset(newdata, 0xFF, PGPKT_DATA_SIZE);
+	_rtw_memset(newdata, 0xFF, PGPKT_DATA_SIZE + 1);
 	i = addr & 0x7;	/*  index of one package */
 	idx = 0;	/*  data index */
 
@@ -634,7 +634,7 @@ u8 rtw_BT_efuse_map_write(struct adapter *padapter, u16 addr, u16 cnts, u8 *data
 {
 	u8 offset, word_en;
 	u8 *map;
-	u8 newdata[PGPKT_DATA_SIZE];
+	u8 newdata[PGPKT_DATA_SIZE + 1];
 	s32	i, idx;
 	u8 ret = _SUCCESS;
 	u16 mapLen = 0;
@@ -656,7 +656,7 @@ u8 rtw_BT_efuse_map_write(struct adapter *padapter, u16 addr, u16 cnts, u8 *data
 
 	offset = (addr >> 3);
 	word_en = 0xF;
-	_rtw_memset(newdata, 0xFF, PGPKT_DATA_SIZE);
+	_rtw_memset(newdata, 0xFF, PGPKT_DATA_SIZE + 1);
 	i = addr & 0x7;	/*  index of one package */
 	idx = 0;	/*  data index */