From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754585AbbLFDoQ (ORCPT ); Sat, 5 Dec 2015 22:44:16 -0500 Received: from kvm5.telegraphics.com.au ([98.124.60.144]:53175 "EHLO kvm5.telegraphics.com.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754333AbbLFDoL (ORCPT ); Sat, 5 Dec 2015 22:44:11 -0500 Message-Id: <20151206013137.915522600@telegraphics.com.au> User-Agent: quilt/0.50-1 Date: Sun, 06 Dec 2015 12:32:10 +1100 From: Finn Thain To: "James E.J. Bottomley" , Michael Schmitz , , , Subject: [PATCH v2 44/72] ncr5380: Fix off-by-one bug in extended_msg[] bounds check References: <20151206013126.995379403@telegraphics.com.au> Content-Disposition: inline; filename=ncr5380-extended-message-length Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Fix the array bounds check when transferring an extended message from the target. Signed-off-by: Finn Thain --- drivers/scsi/NCR5380.c | 3 ++- drivers/scsi/atari_NCR5380.c | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) Index: linux/drivers/scsi/NCR5380.c =================================================================== --- linux.orig/drivers/scsi/NCR5380.c 2015-12-06 12:30:36.000000000 +1100 +++ linux/drivers/scsi/NCR5380.c 2015-12-06 12:30:38.000000000 +1100 @@ -2034,7 +2034,8 @@ static void NCR5380_information_transfer dprintk(NDEBUG_EXTENDED, "scsi%d : length=%d, code=0x%02x\n", instance->host_no, (int) extended_msg[1], (int) extended_msg[2]); - if (!len && extended_msg[1] <= (sizeof(extended_msg) - 1)) { + if (!len && extended_msg[1] > 0 && + extended_msg[1] <= sizeof(extended_msg) - 2) { /* Accept third byte by clearing ACK */ NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE); len = extended_msg[1] - 1; Index: linux/drivers/scsi/atari_NCR5380.c =================================================================== --- linux.orig/drivers/scsi/atari_NCR5380.c 2015-12-06 12:30:36.000000000 +1100 +++ linux/drivers/scsi/atari_NCR5380.c 2015-12-06 12:30:38.000000000 +1100 @@ -2325,8 +2325,8 @@ static void NCR5380_information_transfer dprintk(NDEBUG_EXTENDED, "scsi%d: length=%d, code=0x%02x\n", HOSTNO, (int)extended_msg[1], (int)extended_msg[2]); - if (!len && extended_msg[1] <= - (sizeof(extended_msg) - 1)) { + if (!len && extended_msg[1] > 0 && + extended_msg[1] <= sizeof(extended_msg) - 2) { /* Accept third byte by clearing ACK */ NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE); len = extended_msg[1] - 1; From mboxrd@z Thu Jan 1 00:00:00 1970 From: Finn Thain Subject: [PATCH v2 44/72] ncr5380: Fix off-by-one bug in extended_msg[] bounds check Date: Sun, 06 Dec 2015 12:32:10 +1100 Message-ID: <20151206013137.915522600@telegraphics.com.au> References: <20151206013126.995379403@telegraphics.com.au> Return-path: Content-Disposition: inline; filename=ncr5380-extended-message-length Sender: linux-kernel-owner@vger.kernel.org To: "James E.J. Bottomley" , Michael Schmitz , linux-m68k@vger.kernel.org, linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org List-Id: linux-m68k@vger.kernel.org Fix the array bounds check when transferring an extended message from the target. Signed-off-by: Finn Thain --- drivers/scsi/NCR5380.c | 3 ++- drivers/scsi/atari_NCR5380.c | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) Index: linux/drivers/scsi/NCR5380.c =================================================================== --- linux.orig/drivers/scsi/NCR5380.c 2015-12-06 12:30:36.000000000 +1100 +++ linux/drivers/scsi/NCR5380.c 2015-12-06 12:30:38.000000000 +1100 @@ -2034,7 +2034,8 @@ static void NCR5380_information_transfer dprintk(NDEBUG_EXTENDED, "scsi%d : length=%d, code=0x%02x\n", instance->host_no, (int) extended_msg[1], (int) extended_msg[2]); - if (!len && extended_msg[1] <= (sizeof(extended_msg) - 1)) { + if (!len && extended_msg[1] > 0 && + extended_msg[1] <= sizeof(extended_msg) - 2) { /* Accept third byte by clearing ACK */ NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE); len = extended_msg[1] - 1; Index: linux/drivers/scsi/atari_NCR5380.c =================================================================== --- linux.orig/drivers/scsi/atari_NCR5380.c 2015-12-06 12:30:36.000000000 +1100 +++ linux/drivers/scsi/atari_NCR5380.c 2015-12-06 12:30:38.000000000 +1100 @@ -2325,8 +2325,8 @@ static void NCR5380_information_transfer dprintk(NDEBUG_EXTENDED, "scsi%d: length=%d, code=0x%02x\n", HOSTNO, (int)extended_msg[1], (int)extended_msg[2]); - if (!len && extended_msg[1] <= - (sizeof(extended_msg) - 1)) { + if (!len && extended_msg[1] > 0 && + extended_msg[1] <= sizeof(extended_msg) - 2) { /* Accept third byte by clearing ACK */ NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE); len = extended_msg[1] - 1;