summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2018-04-03 10:52:22 +0200
committerMartin K. Petersen <martin.petersen@oracle.com>2018-04-10 03:32:45 +0200
commitccc495efb326d17be3e7790b5aa49b25e239ead7 (patch)
tree0175dd4432acf6e8aa060516df77280eb4207a60
parentscsi: dpt_i2o: Use after free in I2ORESETCMD ioctl (diff)
downloadlinux-ccc495efb326d17be3e7790b5aa49b25e239ead7.tar.xz
linux-ccc495efb326d17be3e7790b5aa49b25e239ead7.zip
scsi: cxgb4i: silence overflow warning in t4_uld_rx_handler()
Smatch marks skb->data as untrusted so it complains that there is a potential overflow here: drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:2111 t4_uld_rx_handler() error: buffer overflow 'cxgb4i_cplhandlers' 239 <= 255. In this case, skb->data comes from the hardware or firmware so it's not going to overflow unless there is a firmware bug. [mkp: fixed braces] Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-rw-r--r--drivers/scsi/cxgbi/cxgb4i/cxgb4i.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
index 406e94312d4e..211da1d5a869 100644
--- a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
+++ b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
@@ -2108,12 +2108,12 @@ static int t4_uld_rx_handler(void *handle, const __be64 *rsp,
log_debug(1 << CXGBI_DBG_TOE,
"cdev %p, opcode 0x%x(0x%x,0x%x), skb %p.\n",
cdev, opc, rpl->ot.opcode_tid, ntohl(rpl->ot.opcode_tid), skb);
- if (cxgb4i_cplhandlers[opc])
- cxgb4i_cplhandlers[opc](cdev, skb);
- else {
+ if (opc >= ARRAY_SIZE(cxgb4i_cplhandlers) || !cxgb4i_cplhandlers[opc]) {
pr_err("No handler for opcode 0x%x.\n", opc);
__kfree_skb(skb);
- }
+ } else
+ cxgb4i_cplhandlers[opc](cdev, skb);
+
return 0;
nomem:
log_debug(1 << CXGBI_DBG_TOE, "OOM bailing out.\n");