Array XGrpKey has only 2 elements and uses (keyid - 1) as the index, which allows the possibility of memory corruption from an out-of-bounds index. This problem was reported by a new version of smatch. Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Signed-off-by: Larry Finger <Larry.Finger@xxxxxxxxxxxx> --- V2 - forgot to refresh patch before saending. --- Index: wireless-testing-new/drivers/staging/rtl8712/rtl871x_mlme.c =================================================================== --- wireless-testing-new.orig/drivers/staging/rtl8712/rtl871x_mlme.c +++ wireless-testing-new/drivers/staging/rtl8712/rtl871x_mlme.c @@ -1271,12 +1271,16 @@ sint r8712_set_key(struct _adapter *adap psecuritypriv->DefKey[keyid].skey, keylen); break; case _TKIP_: + if (keyid < 1 || keyid > 2) + return _FAIL; keylen = 16; memcpy(psetkeyparm->key, &psecuritypriv->XGrpKey[keyid - 1], keylen); psetkeyparm->grpkey = 1; break; case _AES_: + if (keyid < 1 || keyid > 2) + return _FAIL; keylen = 16; memcpy(psetkeyparm->key, &psecuritypriv->XGrpKey[keyid - 1], keylen); _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/devel