aboutsummaryrefslogtreecommitdiff
path: root/drivers/scsi/lpfc
diff options
context:
space:
mode:
authorJesper Juhl <jesper.juhl@gmail.com>2007-08-09 20:47:15 +0200
committerJames Bottomley <jejb@mulgrave.localdomain>2007-10-12 14:40:03 -0400
commita0a74e45057cc3138c29173e7b0b3db8b30939ae (patch)
tree8994020055e142081edb7111cfbd4a5cf0818acb /drivers/scsi/lpfc
parenta43e6bd1be17573b4f9489190d440677bcb300f6 (diff)
[SCSI] lpfc: fix potential overflow of hbqs array
The Coverity checker noticed that we may overrun a statically allocated array in drivers/scsi/lpfc/lpfc_sli.c::lpfc_sli_hbqbuf_find(). The case is this; In 'struct lpfc_hba' we have #define LPFC_MAX_HBQS 4 ... struct lpfc_hba { ... struct hbq_s hbqs[LPFC_MAX_HBQS]; ... }; But then in lpfc_sli_hbqbuf_find() we have this code hbqno = tag >> 16; if (hbqno > LPFC_MAX_HBQS) return NULL; if 'hbqno' ends up as exactely 4, then we won't return, and then this list_for_each_entry(d_buf, &phba->hbqs[hbqno].hbq_buffer_list, list) { will cause an overflow of the statically allocated array at index 4, since the valid indices are only 0-3. I propose this patch, that simply changes the 'hbqno > LPFC_MAX_HBQS' into 'hbqno >= LPFC_MAX_HBQS' as a possible fix. Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com> Acked-by: James Smart <James.Smart@Emulex.Com> Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
Diffstat (limited to 'drivers/scsi/lpfc')
-rw-r--r--drivers/scsi/lpfc/lpfc_sli.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index ce5ff2bccba..e5337ad4121 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -675,7 +675,7 @@ lpfc_sli_hbqbuf_find(struct lpfc_hba *phba, uint32_t tag)
uint32_t hbqno;
hbqno = tag >> 16;
- if (hbqno > LPFC_MAX_HBQS)
+ if (hbqno >= LPFC_MAX_HBQS)
return NULL;
list_for_each_entry(d_buf, &phba->hbqs[hbqno].hbq_buffer_list, list) {