From: wwang <wei_wang@xxxxxxxxxxxxxx>
Thanks Dan Carpenter <error27@xxxxxxxxx> who helps to find this bug.
There are two places where we read one space past the end of buffer.
Signed-off-by: wwang <wei_wang@xxxxxxxxxxxxxx>
---
drivers/staging/rts_pstor/ms.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/staging/rts_pstor/ms.c b/drivers/staging/rts_pstor/ms.c
index dd59931..28d17c7 100644
--- a/drivers/staging/rts_pstor/ms.c
+++ b/drivers/staging/rts_pstor/ms.c
@@ -3361,8 +3361,8 @@ static int ms_rw_multi_sector(struct scsi_cmnd *srb, struct rtsx_chip *chip, u32
log_blk = (u16)(start_sector >> ms_card->block_shift);
start_page = (u8)(start_sector & ms_card->page_off);
- for (seg_no = 0; seg_no < sizeof(ms_start_idx)/2; seg_no++) {
- if (log_blk < ms_start_idx[seg_no+1])
+ for (seg_no = 0; seg_no < ARRAY_SIZE(ms_start_idx) - 1; seg_no++) {
+ if (log_blk < ms_start_idx[seg_no + 1])
break;
}
@@ -3494,8 +3494,8 @@ static int ms_rw_multi_sector(struct scsi_cmnd *srb, struct rtsx_chip *chip, u32
log_blk++;
- for (seg_no = 0; seg_no < sizeof(ms_start_idx)/2; seg_no++) {
- if (log_blk < ms_start_idx[seg_no+1])
+ for (seg_no = 0; seg_no < ARRAY_SIZE(ms_start_idx) - 1; seg_no++) {
+ if (log_blk < ms_start_idx[seg_no + 1])
break;
}
--
1.7.4
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
