From: Dan Carpenter Date: Sat, 2 Apr 2011 21:32:47 +0000 (-0700) Subject: loopback: off by one in tcm_loop_make_naa_tpg() X-Git-Tag: firefly_0821_release~3680^2~4997^2~17 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=12f09ccb4612734a53e47ed5302e0479c10a50f8;p=firefly-linux-kernel-4.4.55.git loopback: off by one in tcm_loop_make_naa_tpg() This is an off by one 'tgpt' check in tcm_loop_make_naa_tpg() that could result in memory corruption. Signed-off-by: Dan Carpenter Signed-off-by: Nicholas A. Bellinger --- diff --git a/drivers/target/loopback/tcm_loop.c b/drivers/target/loopback/tcm_loop.c index c2937b2035d3..083d6c51f052 100644 --- a/drivers/target/loopback/tcm_loop.c +++ b/drivers/target/loopback/tcm_loop.c @@ -1205,7 +1205,7 @@ struct se_portal_group *tcm_loop_make_naa_tpg( tpgt_str += 5; /* Skip ahead of "tpgt_" */ tpgt = (unsigned short int) simple_strtoul(tpgt_str, &end_ptr, 0); - if (tpgt > TL_TPGS_PER_HBA) { + if (tpgt >= TL_TPGS_PER_HBA) { printk(KERN_ERR "Passed tpgt: %hu exceeds TL_TPGS_PER_HBA:" " %u\n", tpgt, TL_TPGS_PER_HBA); return ERR_PTR(-EINVAL);