esas2r: Fix array overrun

Check the array size *before* dereferencing it with a user provided offset. Signed-off-by: N Alan Cox <alan@linux.intel.com> Reviewed-by: N Johannes Thumshirn <jthumshirn@suse.de> Reviewed-by: N Tomas Henzl <thenzl@redhat.com> Signed-off-by: N Martin K. Petersen <martin.petersen@oracle.com>

esas2r: Fix array overrun
Check the array size *before* dereferencing it with a user provided offset. Signed-off-by: N Alan Cox <alan@linux.intel.com> Reviewed-by: N Johannes Thumshirn <jthumshirn@suse.de> Reviewed-by: N Tomas Henzl <thenzl@redhat.com> Signed-off-by: N Martin K. Petersen <martin.petersen@oracle.com>
5b2e0c1b · Alan · Martin K. Petersen · 5a51a7ab · 5b2e0c1b
隐藏空白更改
内联并排

Showing with 3 addition and 2 deletion

drivers/scsi/esas2r/esas2r_ioctl.c drivers/scsi/esas2r/esas2r_ioctl.c +3 -2

未找到文件。
--- a/drivers/scsi/esas2r/esas2r_ioctl.c
+++ b/drivers/scsi/esas2r/esas2r_ioctl.c
@@ -1360,14 +1360,15 @@ int esas2r_ioctl_handler(void *hostdata, int cmd, void __user *arg)
 	if (ioctl->header.channel == 0xFF) {
 		a = (struct esas2r_adapter *)hostdata;
 	} else {
-		a = esas2r_adapters[ioctl->header.channel];
-		if (ioctl->header.channel >= MAX_ADAPTERS || (a == NULL)) {
+		if (ioctl->header.channel >= MAX_ADAPTERS ||
+			esas2r_adapters[ioctl->header.channel] == NULL) {
 			ioctl->header.return_code = IOCTL_BAD_CHANNEL;
 			esas2r_log(ESAS2R_LOG_WARN, "bad channel value");
 			kfree(ioctl);

 			return -ENOTSUPP;
 		}
+		a = esas2r_adapters[ioctl->header.channel];
 	}

 	switch (cmd) {