commit a77e3362a224212d9d3b9e6fdec44df2eef6cf92 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

[PATCH] coverity: i386: scsi_lib buffer overrun fix

The check in

627 BUG_ON(index > SG_MEMPOOL_NR);

with SG_MEMPOOL_NR defined in

32 #define SG_MEMPOOL_NR (sizeof(scsi_sg_pools)/sizeof(struct scsi_host_sg_pool))

was not sufficient.

sgp, set in

629 sgp = scsi_sg_pools + index;

is dereferenced in

630 mempool_free(sgl, sgp->pool);

Signed-off-by: Zaur Kambarov <zkambarov@coverity.com>
Cc: <linux-scsi@vger.kernel.org>
Cc: James Bottomley <James.Bottomley@steeleye.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

authored by KAMBAROV, ZAUR and committed by Linus Torvalds 20 years ago a77e3362 a8f50345

+1 -1

1 changed file

expand all

unified split

drivers

scsi

scsi_lib.c

+1 -1

drivers/scsi/scsi_lib.c

··· 632 632 { 633 633 struct scsi_host_sg_pool *sgp; 634 634 635 - BUG_ON(index > SG_MEMPOOL_NR); 635 + BUG_ON(index >= SG_MEMPOOL_NR); 636 636 637 637 sgp = scsi_sg_pools + index; 638 638 mempool_free(sgl, sgp->pool);