qed: off by one in qed_parse_mcp_trace_buf()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If format_idx == s_mcp_trace_meta.formats_num then we read one element
beyond the end of the s_mcp_trace_meta.formats[] array.

Fixes: 50bc60cb155c ("qed*: Utilize FW 8.33.11.0")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Tomer Tayar <Tomer.Tayar@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Dan Carpenter and committed by

David S. Miller 7 years ago 0df8adbb 5e7ba042

+1 -1

1 changed file

expand all

drivers

net

ethernet

qlogic

qed

qed_debug.c

+1 -1

drivers/net/ethernet/qlogic/qed/qed_debug.c

··· 6723 6723 format_idx = header & MFW_TRACE_EVENTID_MASK; 6724 6724 6725 6725 /* Skip message if its index doesn't exist in the meta data */ 6726 - if (format_idx > s_mcp_trace_meta.formats_num) { 6726 + if (format_idx >= s_mcp_trace_meta.formats_num) { 6727 6727 u8 format_size = 6728 6728 (u8)((header & MFW_TRACE_PRM_SIZE_MASK) >> 6729 6729 MFW_TRACE_PRM_SIZE_SHIFT);