]> err.no Git - linux-2.6/commitdiff
[SCSI] lpfc: fix potential overflow of hbqs array
authorJesper Juhl <jesper.juhl@gmail.com>
Thu, 9 Aug 2007 18:47:15 +0000 (20:47 +0200)
committerJames Bottomley <jejb@mulgrave.localdomain>
Fri, 12 Oct 2007 18:40:03 +0000 (14:40 -0400)
The Coverity checker noticed that we may overrun a statically allocated
array in drivers/scsi/lpfc/lpfc_sli.c::lpfc_sli_hbqbuf_find().

The case is this; In 'struct lpfc_hba' we have

#define LPFC_MAX_HBQS  4
...
struct lpfc_hba {
...
struct hbq_s hbqs[LPFC_MAX_HBQS];
...
};

But then in lpfc_sli_hbqbuf_find() we have this code

hbqno = tag >> 16;
if (hbqno > LPFC_MAX_HBQS)
return NULL;

if 'hbqno' ends up as exactely 4, then we won't return, and then this

list_for_each_entry(d_buf, &phba->hbqs[hbqno].hbq_buffer_list, list) {

will cause an overflow of the statically allocated array at index 4,
since the valid indices are only 0-3.

I propose this patch, that simply changes the 'hbqno > LPFC_MAX_HBQS'
into 'hbqno >= LPFC_MAX_HBQS' as a possible fix.

Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Acked-by: James Smart <James.Smart@Emulex.Com>
Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
drivers/scsi/lpfc/lpfc_sli.c

index ce5ff2bccba68198f0a3570029bb8a4cdec6441e..e5337ad4121efd36f9d6493dc6ea011cd9404b6c 100644 (file)
@@ -675,7 +675,7 @@ lpfc_sli_hbqbuf_find(struct lpfc_hba *phba, uint32_t tag)
        uint32_t hbqno;
 
        hbqno = tag >> 16;
-       if (hbqno > LPFC_MAX_HBQS)
+       if (hbqno >= LPFC_MAX_HBQS)
                return NULL;
 
        list_for_each_entry(d_buf, &phba->hbqs[hbqno].hbq_buffer_list, list) {