libata: zpodd: small read overflow in eject_tray()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.

Fixes: 213342053db5 ("libata: handle power transition of ODD")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: stable@vger.kernel.org

authored by

Dan Carpenter and committed by

Tejun Heo 7 years ago 18c9a99b 4544e403

+1 -1

1 changed file

expand all

drivers

ata

libata-zpodd.c

+1 -1

drivers/ata/libata-zpodd.c

··· 35 35 static int eject_tray(struct ata_device *dev) 36 36 { 37 37 struct ata_taskfile tf; 38 - static const char cdb[] = { GPCMD_START_STOP_UNIT, 38 + static const char cdb[ATAPI_CDB_LEN] = { GPCMD_START_STOP_UNIT, 39 39 0, 0, 0, 40 40 0x02, /* LoEj */ 41 41 0, 0, 0, 0, 0, 0, 0,