diff options
author | KAMBAROV, ZAUR <kambarov@berkeley.edu> | 2005-06-28 20:45:06 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@ppc970.osdl.org> | 2005-06-28 21:20:33 -0700 |
commit | a77e3362a224212d9d3b9e6fdec44df2eef6cf92 (patch) | |
tree | 5ebf2ebc3df91674101b6a5591753ee1d999abea | |
parent | a8f5034540195307362d071a8b387226b410469f (diff) |
[PATCH] coverity: i386: scsi_lib buffer overrun fix
The check in
627 BUG_ON(index > SG_MEMPOOL_NR);
with SG_MEMPOOL_NR defined in
32 #define SG_MEMPOOL_NR (sizeof(scsi_sg_pools)/sizeof(struct scsi_host_sg_pool))
was not sufficient.
sgp, set in
629 sgp = scsi_sg_pools + index;
is dereferenced in
630 mempool_free(sgl, sgp->pool);
Signed-off-by: Zaur Kambarov <zkambarov@coverity.com>
Cc: <linux-scsi@vger.kernel.org>
Cc: James Bottomley <James.Bottomley@steeleye.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r-- | drivers/scsi/scsi_lib.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index 621dee8b8cb2..10506f9cd0c9 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -632,7 +632,7 @@ static void scsi_free_sgtable(struct scatterlist *sgl, int index) { struct scsi_host_sg_pool *sgp; - BUG_ON(index > SG_MEMPOOL_NR); + BUG_ON(index >= SG_MEMPOOL_NR); sgp = scsi_sg_pools + index; mempool_free(sgl, sgp->pool); |