-
由 Jesper Juhl 提交于
The Coverity checker noticed that we may overrun a statically allocated array in drivers/scsi/lpfc/lpfc_sli.c::lpfc_sli_hbqbuf_find(). The case is this; In 'struct lpfc_hba' we have #define LPFC_MAX_HBQS 4 ... struct lpfc_hba { ... struct hbq_s hbqs[LPFC_MAX_HBQS]; ... }; But then in lpfc_sli_hbqbuf_find() we have this code hbqno = tag >> 16; if (hbqno > LPFC_MAX_HBQS) return NULL; if 'hbqno' ends up as exactely 4, then we won't return, and then this list_for_each_entry(d_buf, &phba->hbqs[hbqno].hbq_buffer_list, list) { will cause an overflow of the statically allocated array at index 4, since the valid indices are only 0-3. I propose this patch, that simply changes the 'hbqno > LPFC_MAX_HBQS' into 'hbqno >= LPFC_MAX_HBQS' as a possible fix. Signed-off-by: NJesper Juhl <jesper.juhl@gmail.com> Acked-by: NJames Smart <James.Smart@Emulex.Com> Signed-off-by: NJames Bottomley <James.Bottomley@SteelEye.com>
a0a74e45