From: Finn Thain Date: Sun, 3 Jan 2016 05:05:45 +0000 (+1100) Subject: ncr5380: Fix off-by-one bug in extended_msg[] bounds check X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=e0783ed3660aecb83af580cdace583980b22809b;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git ncr5380: Fix off-by-one bug in extended_msg[] bounds check Fix the array bounds check when transferring an extended message from the target. Signed-off-by: Finn Thain Reviewed-by: Hannes Reinecke Tested-by: Ondrej Zary Tested-by: Michael Schmitz Signed-off-by: Martin K. Petersen --- diff --git a/drivers/scsi/NCR5380.c b/drivers/scsi/NCR5380.c index 78cf970e13ba..c6b69ee0021a 100644 --- a/drivers/scsi/NCR5380.c +++ b/drivers/scsi/NCR5380.c @@ -2039,7 +2039,8 @@ static void NCR5380_information_transfer(struct Scsi_Host *instance) { dprintk(NDEBUG_EXTENDED, "scsi%d : length=%d, code=0x%02x\n", instance->host_no, (int) extended_msg[1], (int) extended_msg[2]); - if (!len && extended_msg[1] <= (sizeof(extended_msg) - 1)) { + if (!len && extended_msg[1] > 0 && + extended_msg[1] <= sizeof(extended_msg) - 2) { /* Accept third byte by clearing ACK */ NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE); len = extended_msg[1] - 1; diff --git a/drivers/scsi/atari_NCR5380.c b/drivers/scsi/atari_NCR5380.c index 214f43b4baad..c14cfb1cc3dd 100644 --- a/drivers/scsi/atari_NCR5380.c +++ b/drivers/scsi/atari_NCR5380.c @@ -2330,8 +2330,8 @@ static void NCR5380_information_transfer(struct Scsi_Host *instance) dprintk(NDEBUG_EXTENDED, "scsi%d: length=%d, code=0x%02x\n", HOSTNO, (int)extended_msg[1], (int)extended_msg[2]); - if (!len && extended_msg[1] <= - (sizeof(extended_msg) - 1)) { + if (!len && extended_msg[1] > 0 && + extended_msg[1] <= sizeof(extended_msg) - 2) { /* Accept third byte by clearing ACK */ NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE); len = extended_msg[1] - 1;