array access out of boundary

[spcharc]

In function phydm_dfs_histogram_radar_distinguish

    for (i = 0; i < 6; i++) {
        dfs->pw_hold[dfs->hist_idx][i] = (u8)g_pw[i];
        dfs->pri_hold[dfs->hist_idx][i] = (u8)g_pri[i];
        /*@collect whole histogram report may take some time
         *so we add the counter of 2 time slots in FCC and ETSI
         */
        dfs->pw_hold_sum[i] = dfs->pw_hold_sum[i] +
            dfs->pw_hold[(dfs->hist_idx + 1) % 3][i] +
            dfs->pw_hold[(dfs->hist_idx + 2) % 3][i];
        dfs->pri_hold_sum[i] = dfs->pri_hold_sum[i] +
            dfs->pri_hold[(dfs->hist_idx + 1) % 3][i] +
            dfs->pri_hold[(dfs->hist_idx + 2) % 3][i];
    }
    /*@For long radar type*/
    for (j = 1; j < 4; j++) {
        dfs->pw_long_hold_sum[i] = dfs->pw_long_hold_sum[i] +
            dfs->pw_hold[(dfs->hist_long_idx + j) % 4][i];
        dfs->pri_long_hold_sum[i] = dfs->pri_long_hold_sum[i] +
            dfs->pri_hold[(dfs->hist_long_idx + j) % 4][i];
    }

After the 1st loop ends, the 2nd loop starts with i=6, which causes out of boundary access of pw_long_hold_sum and pw_hold

[morrownr]

Wonderful! Sarcasm...

Have you considered or tested any fixes?

I do have a later very of the source so I could take a look at that but I am leaving on a trip right now so it could be a few days.

[spcharc]

I just removed the 2nd for loop (after /*@For long radar type*/). Works without issue. It is definitely not the correct way to fix, so I created an issue not a pull request.