提交 e0783ed3 编写于 作者: F Finn Thain 提交者: Martin K. Petersen

ncr5380: Fix off-by-one bug in extended_msg[] bounds check

Fix the array bounds check when transferring an extended message from the
target.
Signed-off-by: NFinn Thain <fthain@telegraphics.com.au>
Reviewed-by: NHannes Reinecke <hare@suse.com>
Tested-by: NOndrej Zary <linux@rainbow-software.org>
Tested-by: NMichael Schmitz <schmitzmic@gmail.com>
Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
上级 72064a78
...@@ -2039,7 +2039,8 @@ static void NCR5380_information_transfer(struct Scsi_Host *instance) { ...@@ -2039,7 +2039,8 @@ static void NCR5380_information_transfer(struct Scsi_Host *instance) {
dprintk(NDEBUG_EXTENDED, "scsi%d : length=%d, code=0x%02x\n", instance->host_no, (int) extended_msg[1], (int) extended_msg[2]); dprintk(NDEBUG_EXTENDED, "scsi%d : length=%d, code=0x%02x\n", instance->host_no, (int) extended_msg[1], (int) extended_msg[2]);
if (!len && extended_msg[1] <= (sizeof(extended_msg) - 1)) { if (!len && extended_msg[1] > 0 &&
extended_msg[1] <= sizeof(extended_msg) - 2) {
/* Accept third byte by clearing ACK */ /* Accept third byte by clearing ACK */
NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE); NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE);
len = extended_msg[1] - 1; len = extended_msg[1] - 1;
......
...@@ -2330,8 +2330,8 @@ static void NCR5380_information_transfer(struct Scsi_Host *instance) ...@@ -2330,8 +2330,8 @@ static void NCR5380_information_transfer(struct Scsi_Host *instance)
dprintk(NDEBUG_EXTENDED, "scsi%d: length=%d, code=0x%02x\n", HOSTNO, dprintk(NDEBUG_EXTENDED, "scsi%d: length=%d, code=0x%02x\n", HOSTNO,
(int)extended_msg[1], (int)extended_msg[2]); (int)extended_msg[1], (int)extended_msg[2]);
if (!len && extended_msg[1] <= if (!len && extended_msg[1] > 0 &&
(sizeof(extended_msg) - 1)) { extended_msg[1] <= sizeof(extended_msg) - 2) {
/* Accept third byte by clearing ACK */ /* Accept third byte by clearing ACK */
NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE); NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE);
len = extended_msg[1] - 1; len = extended_msg[1] - 1;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册