diff options
author | Colin Ian King <colin.king@canonical.com> | 2016-02-25 22:58:25 +0000 |
---|---|---|
committer | Martin K. Petersen <martin.petersen@oracle.com> | 2016-03-01 20:08:49 -0500 |
commit | bbb7bace0346d43da1bd27d809928f3d07bbd1e7 (patch) | |
tree | 84328303e952487f72ec89aae0a5bca6d1ffd3cf | |
parent | a6d24143fca421c836f78538705c8e5b3ef04e3d (diff) |
snic: correctly check for array overrun on overly long version number
The snic version number is expected to be 4 decimals in the form like a
netmask string with each number stored in an element in array v.
However, there is an off-by-one check on the number of elements in v
allowing one to pass a 5 decimal version number causing v[4] to be
referenced, causing a buffer overrun. Fix the off-by-one error by
comparing to i > 3 rather than 4.
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Shane Seymour <shane.seymour@hpe.com>
Reviewed-by: Ewan Milne <emilne@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-rw-r--r-- | drivers/scsi/snic/snic_ctl.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/scsi/snic/snic_ctl.c b/drivers/scsi/snic/snic_ctl.c index aebe75320ed3..ab0e06b0b4ff 100644 --- a/drivers/scsi/snic/snic_ctl.c +++ b/drivers/scsi/snic/snic_ctl.c @@ -75,7 +75,7 @@ snic_ver_enc(const char *s) continue; } - if (i > 4 || !isdigit(c)) + if (i > 3 || !isdigit(c)) goto end; v[i] = v[i] * 10 + (c - '0'); |