Lifecycle

  1. Posted Dan Carpenter <dan.carpenter@oracle.com>
  2. Landed on mainline (Linus) commit 37f12202c5d2

[PATCH] staging: r8188eu: prevent array underflow in rtw_hal_update_ra_mask()

From: Dan Carpenter <hidden>
Date: 2021-09-30 12:26:50
Also in: kernel-janitors, lkml
Subsystem: staging subsystem, the rest · Maintainers: Greg Kroah-Hartman, Linus Torvalds 

The problem is that "mac_id" is a u32 so this check for underflow does
not work when "mac_id" is zero.  In that situation, "mac_id - 1" is
UINT_MAX instead of -1 so the condition is true.  It leads to an
array underflow on the next line.

Fixes: 8cd574e6af54 ("staging: r8188eu: introduce new hal dir for RTL8188eu driver")
Signed-off-by: Dan Carpenter <redacted>
---
 drivers/staging/r8188eu/hal/hal_intf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/r8188eu/hal/hal_intf.c b/drivers/staging/r8188eu/hal/hal_intf.c
index 410cc4197548..ce0ebdecbd66 100644
--- a/drivers/staging/r8188eu/hal/hal_intf.c
+++ b/drivers/staging/r8188eu/hal/hal_intf.c
@@ -116,7 +116,7 @@ void rtw_hal_update_ra_mask(struct adapter *adapt, u32 mac_id, u8 rssi_level)
 	if (check_fwstate(pmlmepriv, WIFI_AP_STATE)) {
 		struct sta_info *psta = NULL;
 		struct sta_priv *pstapriv = &adapt->stapriv;
-		if ((mac_id - 1) > 0)
+		if (mac_id >= 2)
 			psta = pstapriv->sta_aid[(mac_id - 1) - 1];
 		if (psta)
 			add_RATid(adapt, psta, 0);/* todo: based on rssi_level*/
-- 
2.20.1
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help