gcc 4.3 compiler warning, possible off-by-one error?

Jouni Malinen j at w1.fi
Wed Jun 4 12:01:25 EDT 2008


On Thu, Jun 05, 2008 at 12:34:22AM +1000, Kel Modderman wrote:

> Compilation with gcc 4.3 yielded the following warnings:
> 
> ../src/rsn_supp/wpa_ie.c: In function 'wpa_gen_wpa_ie':
> ../src/rsn_supp/wpa_ie.c:195: warning: array subscript is above array bounds
> ../src/rsn_supp/wpa_ie.c: In function 'wpa_parse_wpa_ie':
> ../src/rsn_supp/wpa_ie.c:84: warning: array subscript is above array bounds
> 
> These are caused by lines of code involving RSN_SELECTOR_GET and
> RSN_SELECTOR_PUT, which seem to be macro wrapper for WPA_GET_BE32 and
> WPA_PUT_BE32 respectively. WPA_GET_BE32 and WPA_PUT_BE32 seem to do things
> with an array of length 4.

I know and new gcc version is not the only tool complaining about
those.. I've been putting off this for a while, but maybe it would be
time to clean this finally.

> The first argument given to these functions is an array of length 3.
> 
> The below patch makes the warning go away, but am not sure if correct.

The current code is actually correct from functional view point, i.e.,
WPA_PUT_BE32 is supposed to "overflow" the 3-octet oui field and
continue to the oui_type. In other words, your patch is not correct way
of getting rid of the warning. One way to do this would be to change the
oui to 4-octet field and remove oui_type, but that is not exactly
correct either since OUI is 24 bits. The other option would be to not
use WPA_{PUT,GET}_BE32 here, but that adds more complexity to the code.
That could be hidden in the macro, but the binary size would still be a
bit larger..

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list