[PATCH v2 44/72] ncr5380: Fix off-by-one bug in extended_msg[] bounds check
From: Finn Thain
Date: Sat Dec 05 2015 - 22:48:19 EST
Fix the array bounds check when transferring an extended message from the
target.
Signed-off-by: Finn Thain <fthain@xxxxxxxxxxxxxxxxxxx>
---
drivers/scsi/NCR5380.c | 3 ++-
drivers/scsi/atari_NCR5380.c | 4 ++--
2 files changed, 4 insertions(+), 3 deletions(-)
Index: linux/drivers/scsi/NCR5380.c
===================================================================
--- linux.orig/drivers/scsi/NCR5380.c 2015-12-06 12:30:36.000000000 +1100
+++ linux/drivers/scsi/NCR5380.c 2015-12-06 12:30:38.000000000 +1100
@@ -2034,7 +2034,8 @@ static void NCR5380_information_transfer
dprintk(NDEBUG_EXTENDED, "scsi%d : length=%d, code=0x%02x\n", instance->host_no, (int) extended_msg[1], (int) extended_msg[2]);
- if (!len && extended_msg[1] <= (sizeof(extended_msg) - 1)) {
+ if (!len && extended_msg[1] > 0 &&
+ extended_msg[1] <= sizeof(extended_msg) - 2) {
/* Accept third byte by clearing ACK */
NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE);
len = extended_msg[1] - 1;
Index: linux/drivers/scsi/atari_NCR5380.c
===================================================================
--- linux.orig/drivers/scsi/atari_NCR5380.c 2015-12-06 12:30:36.000000000 +1100
+++ linux/drivers/scsi/atari_NCR5380.c 2015-12-06 12:30:38.000000000 +1100
@@ -2325,8 +2325,8 @@ static void NCR5380_information_transfer
dprintk(NDEBUG_EXTENDED, "scsi%d: length=%d, code=0x%02x\n", HOSTNO,
(int)extended_msg[1], (int)extended_msg[2]);
- if (!len && extended_msg[1] <=
- (sizeof(extended_msg) - 1)) {
+ if (!len && extended_msg[1] > 0 &&
+ extended_msg[1] <= sizeof(extended_msg) - 2) {
/* Accept third byte by clearing ACK */
NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE);
len = extended_msg[1] - 1;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/