scsi: qedi: off by one in qedi_get_cmd_from_tid()
authorDan Carpenter <dan.carpenter@oracle.com>
Fri, 25 Aug 2017 10:36:57 +0000 (13:36 +0300)
committerMartin K. Petersen <martin.petersen@oracle.com>
Tue, 29 Aug 2017 02:12:39 +0000 (22:12 -0400)
The > here should be >= or we end up reading one element beyond the end
of the qedi->itt_map[] array.  The qedi->itt_map[] array is allocated in
qedi_alloc_itt().

Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.")
Cc: <stable@vger.kernel.org> # v4.10+
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Manish Rangankar <Manish.Rangankar@cavium.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
drivers/scsi/qedi/qedi_main.c

index 2c37836848152f91b394bfeea4e120ce2d35f46a..85e7bae4a7ef8ff7a5e24105426e64e657d60427 100644 (file)
@@ -1575,7 +1575,7 @@ struct qedi_cmd *qedi_get_cmd_from_tid(struct qedi_ctx *qedi, u32 tid)
 {
        struct qedi_cmd *cmd = NULL;
 
-       if (tid > MAX_ISCSI_TASK_ENTRIES)
+       if (tid >= MAX_ISCSI_TASK_ENTRIES)
                return NULL;
 
        cmd = qedi->itt_map[tid].p_cmd;