Skip to content

Commit

Permalink
[PATCH] coverity: i386: scsi_lib buffer overrun fix
Browse files Browse the repository at this point in the history 
The check in

627  		BUG_ON(index > SG_MEMPOOL_NR);

with SG_MEMPOOL_NR defined in

32   	#define SG_MEMPOOL_NR		(sizeof(scsi_sg_pools)/sizeof(struct scsi_host_sg_pool))

was not sufficient.

sgp, set in

629  		sgp = scsi_sg_pools + index;

is dereferenced in

630  		mempool_free(sgl, sgp->pool);

Signed-off-by: Zaur Kambarov <zkambarov@coverity.com>
Cc: <linux-scsi@vger.kernel.org>
Cc: James Bottomley <James.Bottomley@steeleye.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
  • Loading branch information
KAMBAROV, ZAUR authored and Linus Torvalds committed Jun 29, 2005
1 parent a8f5034 commit a77e336
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/scsi/scsi_lib.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -632,7 +632,7 @@ static void scsi_free_sgtable(struct scatterlist *sgl, int index)
{
struct scsi_host_sg_pool *sgp;

BUG_ON(index > SG_MEMPOOL_NR);
BUG_ON(index >= SG_MEMPOOL_NR);

sgp = scsi_sg_pools + index;
mempool_free(sgl, sgp->pool);
Expand Down

0 comments on commit a77e336

Please sign in to comment.