From: Maciej Patelczyk Date: Tue, 21 Jun 2011 22:03:13 +0000 (+0000) Subject: isci: possible buffer overflow in isci_parse_oem_parameters fixed X-Git-Tag: firefly_0821_release~3680^2~5121^2~1^2~19 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=7cafbf1bd56be44038148bb8f733ea6e6a6a2d53;p=firefly-linux-kernel-4.4.55.git isci: possible buffer overflow in isci_parse_oem_parameters fixed scu_index is a parameter of isci_parse_eom_parameters and is an index in controller table. There is a check: scu_index > SCI_MAX_CONTROLLERS which is insufficient and should be: scu_index >= SCI_MAX_CONTROLLERS. scu_index is used as an index in the table which size is SCI_MAX_CONTROLLERS. Signed-off-by: Maciej Patelczyk Signed-off-by: Dan Williams --- diff --git a/drivers/scsi/isci/probe_roms.c b/drivers/scsi/isci/probe_roms.c index bc52a6174070..99b13c191877 100644 --- a/drivers/scsi/isci/probe_roms.c +++ b/drivers/scsi/isci/probe_roms.c @@ -125,7 +125,7 @@ enum sci_status isci_parse_oem_parameters(union scic_oem_parameters *oem_params, struct isci_orom *orom, int scu_index) { /* check for valid inputs */ - if (scu_index < 0 || scu_index > SCI_MAX_CONTROLLERS || + if (scu_index < 0 || scu_index >= SCI_MAX_CONTROLLERS || scu_index > orom->hdr.num_elements || !oem_params) return -EINVAL;