[SCSI] bfa: off by one in bfa_ioc_mbox_isr()
authorDan Carpenter <dan.carpenter@oracle.com>
Wed, 27 Jun 2012 08:59:36 +0000 (11:59 +0300)
committerJames Bottomley <JBottomley@Parallels.com>
Fri, 20 Jul 2012 07:58:37 +0000 (08:58 +0100)
If mc == BFI_MC_MAX then we're reading past the end of the
mod->mbhdlr[] array.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Krishna Gudipati <kgudipat@brocade.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
drivers/scsi/bfa/bfa_ioc.c

index 14e6284e48e4110b4c907b06dacb311c06c26f77..8cdb79c2fcdf96519f1328d37abc512fb399519a 100644 (file)
@@ -2357,7 +2357,7 @@ bfa_ioc_mbox_isr(struct bfa_ioc_s *ioc)
                        return;
                }
 
-               if ((mc > BFI_MC_MAX) || (mod->mbhdlr[mc].cbfn == NULL))
+               if ((mc >= BFI_MC_MAX) || (mod->mbhdlr[mc].cbfn == NULL))
                        return;
 
                mod->mbhdlr[mc].cbfn(mod->mbhdlr[mc].cbarg, &m);