Re: [PATCH] snic: correctly check for array overrun on overly long version number
From: Martin K. Petersen
Date: Tue Mar 01 2016 - 20:10:02 EST
>>>>> "Colin" == Colin King <colin.king@xxxxxxxxxxxxx> writes:
Colin> The snic version number is expected to be 4 decimals in the form
Colin> like a netmask string with each number stored in an element in
Colin> array v. However, there is an off-by-one check on the number of
Colin> elements in v allowing one to pass a 5 decimal version number
Colin> causing v[4] to be referenced, causing a buffer overrun. Fix the
Colin> off-by-one error by comparing to i > 3 rather than 4.
Applied to 4.6/scsi-queue.
--
Martin K. Petersen Oracle Linux Engineering