diff options
| author | KAMBAROV, ZAUR | 2005-06-29 05:45:06 +0200 |
|---|---|---|
| committer | Linus Torvalds | 2005-06-29 06:20:33 +0200 |
| commit | a77e3362a224212d9d3b9e6fdec44df2eef6cf92 (patch) | |
| tree | 5ebf2ebc3df91674101b6a5591753ee1d999abea /drivers | |
| parent | [PATCH] coverity: i386: build.c: negative return to unsigned fix (diff) | |
| download | kernel-qcow2-linux-a77e3362a224212d9d3b9e6fdec44df2eef6cf92.tar.gz kernel-qcow2-linux-a77e3362a224212d9d3b9e6fdec44df2eef6cf92.tar.xz kernel-qcow2-linux-a77e3362a224212d9d3b9e6fdec44df2eef6cf92.zip | |
[PATCH] coverity: i386: scsi_lib buffer overrun fix
The check in
627 BUG_ON(index > SG_MEMPOOL_NR);
with SG_MEMPOOL_NR defined in
32 #define SG_MEMPOOL_NR (sizeof(scsi_sg_pools)/sizeof(struct scsi_host_sg_pool))
was not sufficient.
sgp, set in
629 sgp = scsi_sg_pools + index;
is dereferenced in
630 mempool_free(sgl, sgp->pool);
Signed-off-by: Zaur Kambarov <zkambarov@coverity.com>
Cc: <linux-scsi@vger.kernel.org>
Cc: James Bottomley <James.Bottomley@steeleye.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/scsi/scsi_lib.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index 621dee8b8cb2..10506f9cd0c9 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -632,7 +632,7 @@ static void scsi_free_sgtable(struct scatterlist *sgl, int index) { struct scsi_host_sg_pool *sgp; - BUG_ON(index > SG_MEMPOOL_NR); + BUG_ON(index >= SG_MEMPOOL_NR); sgp = scsi_sg_pools + index; mempool_free(sgl, sgp->pool); |