forked from Minki/linux
ncr5380: Fix off-by-one bug in extended_msg[] bounds check
Fix the array bounds check when transferring an extended message from the target. Signed-off-by: Finn Thain <fthain@telegraphics.com.au> Reviewed-by: Hannes Reinecke <hare@suse.com> Tested-by: Ondrej Zary <linux@rainbow-software.org> Tested-by: Michael Schmitz <schmitzmic@gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
This commit is contained in:
parent
72064a783b
commit
e0783ed366
@ -2039,7 +2039,8 @@ static void NCR5380_information_transfer(struct Scsi_Host *instance) {
|
||||
|
||||
dprintk(NDEBUG_EXTENDED, "scsi%d : length=%d, code=0x%02x\n", instance->host_no, (int) extended_msg[1], (int) extended_msg[2]);
|
||||
|
||||
if (!len && extended_msg[1] <= (sizeof(extended_msg) - 1)) {
|
||||
if (!len && extended_msg[1] > 0 &&
|
||||
extended_msg[1] <= sizeof(extended_msg) - 2) {
|
||||
/* Accept third byte by clearing ACK */
|
||||
NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE);
|
||||
len = extended_msg[1] - 1;
|
||||
|
@ -2330,8 +2330,8 @@ static void NCR5380_information_transfer(struct Scsi_Host *instance)
|
||||
dprintk(NDEBUG_EXTENDED, "scsi%d: length=%d, code=0x%02x\n", HOSTNO,
|
||||
(int)extended_msg[1], (int)extended_msg[2]);
|
||||
|
||||
if (!len && extended_msg[1] <=
|
||||
(sizeof(extended_msg) - 1)) {
|
||||
if (!len && extended_msg[1] > 0 &&
|
||||
extended_msg[1] <= sizeof(extended_msg) - 2) {
|
||||
/* Accept third byte by clearing ACK */
|
||||
NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE);
|
||||
len = extended_msg[1] - 1;
|
||||
|
Loading…
Reference in New Issue
Block a user