hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

esas2r: Fix array overrun 

Check the array size *before* dereferencing it with a user provided
offset.

Signed-off-by: Alan Cox <alan@linux.intel.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
This commit is contained in:
Alan 2016-02-15 19:01:29 +00:00 committed by Martin K. Petersen
parent 5a51a7abca
commit 5b2e0c1bef
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
drivers/scsi/esas2r/esas2r_ioctl.c
View File

@ -1360,14 +1360,15 @@ int esas2r_ioctl_handler(void *hostdata, int cmd, void __user *arg)
if (ioctl->header.channel == 0xFF) { if (ioctl->header.channel == 0xFF) {
a = (struct esas2r_adapter *)hostdata; a = (struct esas2r_adapter *)hostdata;
} else { } else {
a = esas2r_adapters[ioctl->header.channel]; if (ioctl->header.channel >= MAX_ADAPTERS ||
if (ioctl->header.channel >= MAX_ADAPTERS || (a == NULL)) { esas2r_adapters[ioctl->header.channel] == NULL) {
ioctl->header.return_code = IOCTL_BAD_CHANNEL; ioctl->header.return_code = IOCTL_BAD_CHANNEL;
esas2r_log(ESAS2R_LOG_WARN, "bad channel value"); esas2r_log(ESAS2R_LOG_WARN, "bad channel value");
kfree(ioctl); kfree(ioctl);
return -ENOTSUPP; return -ENOTSUPP;
} }
a = esas2r_adapters[ioctl->header.channel];
} }
switch (cmd) { switch (cmd) {