This patch fixes a potential buffer overflow detected by smatch. pda16 has length 512, while processing an element with index < 512 we are checking for an end marker in the next element. This poses a potential buffer overflow if no end marker is present. Signed-off-by: Tillmann Heidsieck <theidsieck@xxxxxxxxx> --- v2: add missing Signed-off-by line drivers/staging/wlan-ng/prism2fw.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/staging/wlan-ng/prism2fw.c b/drivers/staging/wlan-ng/prism2fw.c index fe36613..d357b7e 100644 --- a/drivers/staging/wlan-ng/prism2fw.c +++ b/drivers/staging/wlan-ng/prism2fw.c @@ -590,7 +590,7 @@ static int mkpdrlist(struct pda *pda) pda->nrec = 0; curroff = 0; - while (curroff < (HFA384x_PDA_LEN_MAX / 2) && + while (curroff < (HFA384x_PDA_LEN_MAX / 2 - 1) && le16_to_cpu(pda16[curroff + 1]) != HFA384x_PDR_END_OF_PDA) { pda->rec[pda->nrec] = (hfa384x_pdrec_t *) &(pda16[curroff]); @@ -626,7 +626,7 @@ static int mkpdrlist(struct pda *pda) curroff += le16_to_cpu(pda16[curroff]) + 1; } - if (curroff >= (HFA384x_PDA_LEN_MAX / 2)) { + if (curroff >= (HFA384x_PDA_LEN_MAX / 2 - 1)) { pr_err("no end record found or invalid lengths in PDR data, exiting. %x %d\n", curroff, pda->nrec); return 1; -- 2.6.0 -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html