Commit 037116c8 authored by Martin Kaiser's avatar Martin Kaiser Committed by Greg Kroah-Hartman
Browse files

staging: r8188eu: do not write past the end of an array 



Commit f7b687d6 ("staging: r8188eu: remove NumTotalRFPath from struct
hal_data_8188e") removed a for loop around a block of code that is executed
only once when i == 0. However, without the for loop, i will never be set
to 0 before the code block is executed. i remains at 2, which is the final
value after the previous loop. This results in a write past the end of the
powerlevel and MCSBase arrays.

[   28.480809] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: rtl8188e_PHY_RF6052SetOFDMTxPower+0x124/0x128 [r8188eu]
[   28.493752] ---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: rtl8188e_PHY_RF6052SetOFDMTxPower+0x124/0x128 [r8188eu] ]---

Fix this by replacing i with 0 in the code block that used to be the body of
the loop. While at it, remove the powerlevel array that was just holding a
temporary value.

Tested with Edimax EW-7811Un V2 on an ARM32 embedded system.

Fixes: f7b687d6 ("staging: r8188eu: remove NumTotalRFPath from struct hal_data_8188e")
Acked-by: default avatarMichael Straube <straube.linux@gmail.com>
Signed-off-by: default avatarMartin Kaiser <martin@kaiser.cx>
Link: https://lore.kernel.org/r/20210918134024.23837-1-martin@kaiser.cx


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent c2e478e7

drivers/staging/r8188eu/hal/rtl8188e_rf6052.c

+4 −5
Original line number Diff line number Diff line
@@ -184,7 +184,7 @@ static void getpowerbase88e(struct adapter *Adapter, u8 *pPowerLevelOFDM, 
{

	struct hal_data_8188e *pHalData = GET_HAL_DATA(Adapter);

	u32 powerBase0, powerBase1;

	u8 i, powerlevel[2];

	u8 i;



	for (i = 0; i < 2; i++) {

		powerBase0 = pPowerLevelOFDM[i];
@@ -195,12 +195,11 @@ static void getpowerbase88e(struct adapter *Adapter, u8 *pPowerLevelOFDM, 


	/* Check HT20 to HT40 diff */

	if (pHalData->CurrentChannelBW == HT_CHANNEL_WIDTH_20)

		powerlevel[i] = pPowerLevelBW20[i];

		powerBase1 = pPowerLevelBW20[0];

	else

		powerlevel[i] = pPowerLevelBW40[i];

	powerBase1 = powerlevel[i];

		powerBase1 = pPowerLevelBW40[0];

	powerBase1 = (powerBase1 << 24) | (powerBase1 << 16) | (powerBase1 << 8) | powerBase1;

	*(MCSBase + i) = powerBase1;

	*MCSBase = powerBase1;

}



static void get_rx_power_val_by_reg(struct adapter *Adapter, u8 Channel,