From: Young_X <YangX92@xxxxxxxxxxx>
The error at line 3267 was the result of an off-by-one error in
a for loop in line 3253.
If condition in line 3254 never satisfies, then the value of
pstat->aid is NUM_STA+1. This will lead to out-of-bound access
in line 3267.
Signed-off-by: Young_X <YangX92@xxxxxxxxxxx>
---
drivers/staging/rtl8188eu/core/rtw_mlme_ext.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c b/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c
index 6790b840..0854adc 100644
--- a/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c
@@ -3250,7 +3250,7 @@ static unsigned int OnAssocReq(struct adapter *padapter,
if (pstat->aid > 0) {
DBG_88E(" old AID %d\n", pstat->aid);
} else {
- for (pstat->aid = 1; pstat->aid <= NUM_STA; pstat->aid++)
+ for (pstat->aid = 1; pstat->aid < NUM_STA; pstat->aid++)
if (pstapriv->sta_aid[pstat->aid - 1] == NULL)
break;
--
2.7.4
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
