diff options
| author | Martin Kaiser <martin@kaiser.cx> | 2021-09-18 16:40:24 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-09-20 14:40:40 +0300 |
| commit | 037116c8f047a1912b33b7e9411e755864a7b7c5 (patch) | |
| tree | 6c0501a9d6f1c3e0fd0abc04386fc6dd91ae01f4 | |
| parent | c2e478e74cb684627265008f8041cf7c6acd6519 (diff) | |
| download | linux-037116c8f047a1912b33b7e9411e755864a7b7c5.tar.xz | |
staging: r8188eu: do not write past the end of an array
Commit f7b687d6b67e ("staging: r8188eu: remove NumTotalRFPath from struct
hal_data_8188e") removed a for loop around a block of code that is executed
only once when i == 0. However, without the for loop, i will never be set
to 0 before the code block is executed. i remains at 2, which is the final
value after the previous loop. This results in a write past the end of the
powerlevel and MCSBase arrays.
[ 28.480809] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: rtl8188e_PHY_RF6052SetOFDMTxPower+0x124/0x128 [r8188eu]
[ 28.493752] ---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: rtl8188e_PHY_RF6052SetOFDMTxPower+0x124/0x128 [r8188eu] ]---
Fix this by replacing i with 0 in the code block that used to be the body of
the loop. While at it, remove the powerlevel array that was just holding a
temporary value.
Tested with Edimax EW-7811Un V2 on an ARM32 embedded system.
Fixes: f7b687d6b67e ("staging: r8188eu: remove NumTotalRFPath from struct hal_data_8188e")
Acked-by: Michael Straube <straube.linux@gmail.com>
Signed-off-by: Martin Kaiser <martin@kaiser.cx>
Link: https://lore.kernel.org/r/20210918134024.23837-1-martin@kaiser.cx
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/staging/r8188eu/hal/rtl8188e_rf6052.c | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/drivers/staging/r8188eu/hal/rtl8188e_rf6052.c b/drivers/staging/r8188eu/hal/rtl8188e_rf6052.c index 2dcfbb008914..edaa9a6dfdb1 100644 --- a/drivers/staging/r8188eu/hal/rtl8188e_rf6052.c +++ b/drivers/staging/r8188eu/hal/rtl8188e_rf6052.c @@ -184,7 +184,7 @@ static void getpowerbase88e(struct adapter *Adapter, u8 *pPowerLevelOFDM, { struct hal_data_8188e *pHalData = GET_HAL_DATA(Adapter); u32 powerBase0, powerBase1; - u8 i, powerlevel[2]; + u8 i; for (i = 0; i < 2; i++) { powerBase0 = pPowerLevelOFDM[i]; @@ -195,12 +195,11 @@ static void getpowerbase88e(struct adapter *Adapter, u8 *pPowerLevelOFDM, /* Check HT20 to HT40 diff */ if (pHalData->CurrentChannelBW == HT_CHANNEL_WIDTH_20) - powerlevel[i] = pPowerLevelBW20[i]; + powerBase1 = pPowerLevelBW20[0]; else - powerlevel[i] = pPowerLevelBW40[i]; - powerBase1 = powerlevel[i]; + powerBase1 = pPowerLevelBW40[0]; powerBase1 = (powerBase1 << 24) | (powerBase1 << 16) | (powerBase1 << 8) | powerBase1; - *(MCSBase + i) = powerBase1; + *MCSBase = powerBase1; } static void get_rx_power_val_by_reg(struct adapter *Adapter, u8 Channel, |