From: Dan Carpenter Date: Thu, 25 Jan 2018 14:27:27 +0000 (+0300) Subject: scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=62d16de3109f8dff76f97b58d66ce502970b2f3f;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() [ Upstream commit a7043e9529f3c367cc4d82997e00be034cbe57ca ] My static checker complains about an out of bounds read: drivers/message/fusion/mptctl.c:2786 mptctl_hp_targetinfo() error: buffer overflow 'hd->sel_timeout' 255 <= u32max. It's true that we probably should have a bounds check here. Signed-off-by: Dan Carpenter Reviewed-by: Johannes Thumshirn Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/message/fusion/mptctl.c b/drivers/message/fusion/mptctl.c index 7b3b41368931..cf6ce9f600ca 100644 --- a/drivers/message/fusion/mptctl.c +++ b/drivers/message/fusion/mptctl.c @@ -2698,6 +2698,8 @@ mptctl_hp_targetinfo(unsigned long arg) __FILE__, __LINE__, iocnum); return -ENODEV; } + if (karg.hdr.id >= MPT_MAX_FC_DEVICES) + return -EINVAL; dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_hp_targetinfo called.\n", ioc->name));