diff options
author | Finn Thain <fthain@telegraphics.com.au> | 2016-01-03 06:05:45 +0100 |
---|---|---|
committer | Martin K. Petersen <martin.petersen@oracle.com> | 2016-01-07 03:43:02 +0100 |
commit | e0783ed3660aecb83af580cdace583980b22809b (patch) | |
tree | 3a6190115137d208386cd2e8e93fbe61e95dd091 /drivers/scsi | |
parent | ncr5380: Standardize reselection handling (diff) | |
download | linux-e0783ed3660aecb83af580cdace583980b22809b.tar.xz linux-e0783ed3660aecb83af580cdace583980b22809b.zip |
ncr5380: Fix off-by-one bug in extended_msg[] bounds check
Fix the array bounds check when transferring an extended message from the
target.
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Tested-by: Ondrej Zary <linux@rainbow-software.org>
Tested-by: Michael Schmitz <schmitzmic@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Diffstat (limited to 'drivers/scsi')
-rw-r--r-- | drivers/scsi/NCR5380.c | 3 | ||||
-rw-r--r-- | drivers/scsi/atari_NCR5380.c | 4 |
2 files changed, 4 insertions, 3 deletions
diff --git a/drivers/scsi/NCR5380.c b/drivers/scsi/NCR5380.c index 78cf970e13ba..c6b69ee0021a 100644 --- a/drivers/scsi/NCR5380.c +++ b/drivers/scsi/NCR5380.c @@ -2039,7 +2039,8 @@ static void NCR5380_information_transfer(struct Scsi_Host *instance) { dprintk(NDEBUG_EXTENDED, "scsi%d : length=%d, code=0x%02x\n", instance->host_no, (int) extended_msg[1], (int) extended_msg[2]); - if (!len && extended_msg[1] <= (sizeof(extended_msg) - 1)) { + if (!len && extended_msg[1] > 0 && + extended_msg[1] <= sizeof(extended_msg) - 2) { /* Accept third byte by clearing ACK */ NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE); len = extended_msg[1] - 1; diff --git a/drivers/scsi/atari_NCR5380.c b/drivers/scsi/atari_NCR5380.c index 214f43b4baad..c14cfb1cc3dd 100644 --- a/drivers/scsi/atari_NCR5380.c +++ b/drivers/scsi/atari_NCR5380.c @@ -2330,8 +2330,8 @@ static void NCR5380_information_transfer(struct Scsi_Host *instance) dprintk(NDEBUG_EXTENDED, "scsi%d: length=%d, code=0x%02x\n", HOSTNO, (int)extended_msg[1], (int)extended_msg[2]); - if (!len && extended_msg[1] <= - (sizeof(extended_msg) - 1)) { + if (!len && extended_msg[1] > 0 && + extended_msg[1] <= sizeof(extended_msg) - 2) { /* Accept third byte by clearing ACK */ NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE); len = extended_msg[1] - 1; |