s390/dcss: array index 'i' is used before limits check.

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Avoid out-of-bounds-read by checking count before indexing.

Signed-off-by : Ameen Ali <Ameenali023@gmail.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>

authored by

Ameen Ali and committed by

Martin Schwidefsky 11 years ago 3a9f9183 a13ccb04

+1 -1

1 changed file

expand all

drivers

s390

block

dcssblk.c

+1 -1

drivers/s390/block/dcssblk.c

··· 547 547 * parse input 548 548 */ 549 549 num_of_segments = 0; 550 - for (i = 0; ((buf[i] != '\0') && (buf[i] != '\n') && i < count); i++) { 550 + for (i = 0; (i < count && (buf[i] != '\0') && (buf[i] != '\n')); i++) { 551 551 for (j = i; (buf[j] != ':') && 552 552 (buf[j] != '\0') && 553 553 (buf[j] != '\n') &&