Search Linux Wireless

Buffer overrun error found in brcm80211 driver code

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,


I came across an issue reported by an internal static analysis tool when tested on the code for brcm80211 driver.

The commit which introduced is -
5b435de0d786869c95d1962121af0d7df2542009
("net: wireless: add brcm80211 drivers")


In the file -
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c

within the function wlc_lcnphy_tx_iqlo_cal()

we assign value to band_idx as below
band_idx = (CHSPEC_IS5G(pi->radio_chanspec) ? 1 : 0);
From this band_idx could be either 1 or 0.

But when we look at the array iqcal_gainparams_numgains_lcnphy[] at
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c

We can notice that it is initialized with only one value in it.

static const u16 iqcal_gainparams_numgains_lcnphy[1] = {
    ARRAY_SIZE(tbl_iqcal_gainparams_lcnphy_2G),
};


So, when we try to access iqcal_gainparams_numgains_lcnphy[band_idx]
within the for loop in the same function we could be reading a wrong value of iqcal_gainparams_numgains_lcnphy[1]

Do you have any suggestion on how we can resolve this?
Is it possible to keep band_idx to just 0?


Thanks,
Samasth.




[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Wireless Regulations]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux