[PATCH] coverity: i386: scsi_lib buffer overrun fix
authorKAMBAROV, ZAUR <kambarov@berkeley.edu>
Wed, 29 Jun 2005 03:45:06 +0000 (20:45 -0700)
committerLinus Torvalds <torvalds@ppc970.osdl.org>
Wed, 29 Jun 2005 04:20:33 +0000 (21:20 -0700)
The check in

627   BUG_ON(index > SG_MEMPOOL_NR);

with SG_MEMPOOL_NR defined in

32    #define SG_MEMPOOL_NR (sizeof(scsi_sg_pools)/sizeof(struct scsi_host_sg_pool))

was not sufficient.

sgp, set in

629   sgp = scsi_sg_pools + index;

is dereferenced in

630   mempool_free(sgl, sgp->pool);

Signed-off-by: Zaur Kambarov <zkambarov@coverity.com>
Cc: <linux-scsi@vger.kernel.org>
Cc: James Bottomley <James.Bottomley@steeleye.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
drivers/scsi/scsi_lib.c

index 621dee8b8cb29f40a2e8a53c9e608b4fbe09bea5..10506f9cd0c929da622b667c22fcee071c522bd2 100644 (file)
@@ -632,7 +632,7 @@ static void scsi_free_sgtable(struct scatterlist *sgl, int index)
 {
        struct scsi_host_sg_pool *sgp;
 
-       BUG_ON(index > SG_MEMPOOL_NR);
+       BUG_ON(index >= SG_MEMPOOL_NR);
 
        sgp = scsi_sg_pools + index;
        mempool_free(sgl, sgp->pool);