Static analysis with CoverityScan picked up an out of bounds read issue
that has been in the Raylink wireless LAN card driver since it appeared
in the kernel:
drivers/net/wireless/ray_cs.c:
accessing org[3] is out of bounds, the array has just 3 elements.
959 if (proto == htons(ETH_P_AARP) || proto ==
htons(ETH_P_IPX)) {
960 /* This is the selective translation table,
only 2 entries */
CID undefined (#1 of 1): Out-of-bounds read
overrun-local: Overrunning array of 3 bytes at byte offset 3 by
dereferencing pointer &((struct snaphdr_t *)ptx->var)->org[3].
961 writeb(0xf8,
962 &((struct snaphdr_t __iomem
*)ptx->var)->org[3]);
963 }
I suspect the org[3] is a typo and should be org[2], but I don't have
any info on the H/W so I'm speculating that this is the issue. Any ideas
anyone?
Colin
