esas2r: Fix array overrun
authorAlan <gnomes@lxorguk.ukuu.org.uk>
Mon, 15 Feb 2016 19:01:29 +0000 (19:01 +0000)
committerMartin K. Petersen <martin.petersen@oracle.com>
Wed, 24 Feb 2016 02:27:02 +0000 (21:27 -0500)
Check the array size *before* dereferencing it with a user provided
offset.

Signed-off-by: Alan Cox <alan@linux.intel.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
drivers/scsi/esas2r/esas2r_ioctl.c

index baf913047b488d43cef1bf04afd9e3e6e5697329..3e8483410f610997746edf9ab65585a1b8982153 100644 (file)
@@ -1360,14 +1360,15 @@ int esas2r_ioctl_handler(void *hostdata, int cmd, void __user *arg)
        if (ioctl->header.channel == 0xFF) {
                a = (struct esas2r_adapter *)hostdata;
        } else {
-               a = esas2r_adapters[ioctl->header.channel];
-               if (ioctl->header.channel >= MAX_ADAPTERS || (a == NULL)) {
+               if (ioctl->header.channel >= MAX_ADAPTERS ||
+                       esas2r_adapters[ioctl->header.channel] == NULL) {
                        ioctl->header.return_code = IOCTL_BAD_CHANNEL;
                        esas2r_log(ESAS2R_LOG_WARN, "bad channel value");
                        kfree(ioctl);
 
                        return -ENOTSUPP;
                }
+               a = esas2r_adapters[ioctl->header.channel];
        }
 
        switch (cmd) {