[PATCH] coverity: i386: scsi_lib buffer overrun fix
The check in 627 BUG_ON(index > SG_MEMPOOL_NR); with SG_MEMPOOL_NR defined in 32 #define SG_MEMPOOL_NR (sizeof(scsi_sg_pools)/sizeof(struct scsi_host_sg_pool)) was not sufficient. sgp, set in 629 sgp = scsi_sg_pools + index; is dereferenced in 630 mempool_free(sgl, sgp->pool); Signed-off-by: Zaur Kambarov <zkambarov@coverity.com> Cc: <linux-scsi@vger.kernel.org> Cc: James Bottomley <James.Bottomley@steeleye.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
parent
a8f5034540
commit
a77e3362a2
|
@ -632,7 +632,7 @@ static void scsi_free_sgtable(struct scatterlist *sgl, int index)
|
|||
{
|
||||
struct scsi_host_sg_pool *sgp;
|
||||
|
||||
BUG_ON(index > SG_MEMPOOL_NR);
|
||||
BUG_ON(index >= SG_MEMPOOL_NR);
|
||||
|
||||
sgp = scsi_sg_pools + index;
|
||||
mempool_free(sgl, sgp->pool);
|
||||
|
|
Loading…
Reference in New Issue