diff options
author | Jesper Juhl <jesper.juhl@gmail.com> | 2007-08-09 20:47:15 +0200 |
---|---|---|
committer | James Bottomley <jejb@mulgrave.localdomain> | 2007-10-12 14:40:03 -0400 |
commit | a0a74e45057cc3138c29173e7b0b3db8b30939ae (patch) | |
tree | 8994020055e142081edb7111cfbd4a5cf0818acb /drivers/scsi/aacraid/aachba.c | |
parent | a43e6bd1be17573b4f9489190d440677bcb300f6 (diff) |
[SCSI] lpfc: fix potential overflow of hbqs array
The Coverity checker noticed that we may overrun a statically allocated
array in drivers/scsi/lpfc/lpfc_sli.c::lpfc_sli_hbqbuf_find().
The case is this; In 'struct lpfc_hba' we have
#define LPFC_MAX_HBQS 4
...
struct lpfc_hba {
...
struct hbq_s hbqs[LPFC_MAX_HBQS];
...
};
But then in lpfc_sli_hbqbuf_find() we have this code
hbqno = tag >> 16;
if (hbqno > LPFC_MAX_HBQS)
return NULL;
if 'hbqno' ends up as exactely 4, then we won't return, and then this
list_for_each_entry(d_buf, &phba->hbqs[hbqno].hbq_buffer_list, list) {
will cause an overflow of the statically allocated array at index 4,
since the valid indices are only 0-3.
I propose this patch, that simply changes the 'hbqno > LPFC_MAX_HBQS'
into 'hbqno >= LPFC_MAX_HBQS' as a possible fix.
Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Acked-by: James Smart <James.Smart@Emulex.Com>
Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
Diffstat (limited to 'drivers/scsi/aacraid/aachba.c')
0 files changed, 0 insertions, 0 deletions