summaryrefslogtreecommitdiffstats
path: root/drivers/scsi
diff options
context:
space:
mode:
authorFinn Thain <fthain@telegraphics.com.au>2016-01-03 06:05:45 +0100
committerMartin K. Petersen <martin.petersen@oracle.com>2016-01-07 03:43:02 +0100
commite0783ed3660aecb83af580cdace583980b22809b (patch)
tree3a6190115137d208386cd2e8e93fbe61e95dd091 /drivers/scsi
parentncr5380: Standardize reselection handling (diff)
downloadlinux-e0783ed3660aecb83af580cdace583980b22809b.tar.xz
linux-e0783ed3660aecb83af580cdace583980b22809b.zip
ncr5380: Fix off-by-one bug in extended_msg[] bounds check
Fix the array bounds check when transferring an extended message from the target. Signed-off-by: Finn Thain <fthain@telegraphics.com.au> Reviewed-by: Hannes Reinecke <hare@suse.com> Tested-by: Ondrej Zary <linux@rainbow-software.org> Tested-by: Michael Schmitz <schmitzmic@gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Diffstat (limited to 'drivers/scsi')
-rw-r--r--drivers/scsi/NCR5380.c3
-rw-r--r--drivers/scsi/atari_NCR5380.c4
2 files changed, 4 insertions, 3 deletions
diff --git a/drivers/scsi/NCR5380.c b/drivers/scsi/NCR5380.c
index 78cf970e13ba..c6b69ee0021a 100644
--- a/drivers/scsi/NCR5380.c
+++ b/drivers/scsi/NCR5380.c
@@ -2039,7 +2039,8 @@ static void NCR5380_information_transfer(struct Scsi_Host *instance) {
dprintk(NDEBUG_EXTENDED, "scsi%d : length=%d, code=0x%02x\n", instance->host_no, (int) extended_msg[1], (int) extended_msg[2]);
- if (!len && extended_msg[1] <= (sizeof(extended_msg) - 1)) {
+ if (!len && extended_msg[1] > 0 &&
+ extended_msg[1] <= sizeof(extended_msg) - 2) {
/* Accept third byte by clearing ACK */
NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE);
len = extended_msg[1] - 1;
diff --git a/drivers/scsi/atari_NCR5380.c b/drivers/scsi/atari_NCR5380.c
index 214f43b4baad..c14cfb1cc3dd 100644
--- a/drivers/scsi/atari_NCR5380.c
+++ b/drivers/scsi/atari_NCR5380.c
@@ -2330,8 +2330,8 @@ static void NCR5380_information_transfer(struct Scsi_Host *instance)
dprintk(NDEBUG_EXTENDED, "scsi%d: length=%d, code=0x%02x\n", HOSTNO,
(int)extended_msg[1], (int)extended_msg[2]);
- if (!len && extended_msg[1] <=
- (sizeof(extended_msg) - 1)) {
+ if (!len && extended_msg[1] > 0 &&
+ extended_msg[1] <= sizeof(extended_msg) - 2) {
/* Accept third byte by clearing ACK */
NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE);
len = extended_msg[1] - 1;