On Sat, 2019-05-04 at 21:50 +0000, Colin Ian King wrote:
> Hi,
>
> Static analysis with Coverity has found an issue in the rtl8188de
> wireless driver in drivers/net/wireless/realtek/rtlwifi/rtl8192de/dm.c
> in function tl92d_dm_txpower_tracking_callback_thermalmeter.
>
> The issue is that u8 array ofdm_index[3] is never initialized, however
> it is decremented and incremented in two places resulting in garbage
> value from the stack being updated in the following code:
>
> if (thermalvalue > rtlpriv->dm.thermalvalue) {
> for (i = 0; i < rf; i++)
> ofdm_index[i] -= delta;
> cck_index -= delta;
> } else {
> for (i = 0; i < rf; i++)
> ofdm_index[i] += index;
> cck_index += index;
> }
>
> At my first look at the code I believe ofdm_index should be just
> zero-initialized at declaration time, but I suspect that I'm overlooking
> something maybe a bit deeper. Any ideas?
>
Hi Colin,
Thanks for your report.
After my quick look, there are at least two obvious problems.
One is array size of ofdm_index[] should be two instead. Another is the value
of ofdm_index[] should be obtained from rtlpriv->dm.ofdm_index[].
Since the logic is quite complex, I need some time to fix it.
PK
