The patch titled
coverity: i386: scsi_lib buffer overrun fix
has been added to the -mm tree. Its filename is
coverity-i386-scsi_lib-buffer-overrun-fix.patch
Patches currently in -mm which might be from kambarov@xxxxxxxxxxxx are
coverity-i386-build-negative-return-to-unsigned-fix.patch
coverity-ipv4-fib_frontend-ifa_dev-null-check.patch
coverity-i386-scsi_lib-buffer-overrun-fix.patch
coverity-ipmi_msghandler-channels-array-overrun-fix.patch
a.patch
From: "KAMBAROV, ZAUR" <kambarov@xxxxxxxxxxxx>
The check in
627 BUG_ON(index > SG_MEMPOOL_NR);
with SG_MEMPOOL_NR defined in
32 #define SG_MEMPOOL_NR (sizeof(scsi_sg_pools)/sizeof(struct scsi_host_sg_pool))
was not sufficient.
sgp, set in
629 sgp = scsi_sg_pools + index;
is dereferenced in
630 mempool_free(sgl, sgp->pool);
Signed-off-by: Zaur Kambarov <zkambarov@xxxxxxxxxxxx>
Cc: <linux-scsi@xxxxxxxxxxxxxxx>
Cc: James Bottomley <James.Bottomley@xxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---
drivers/scsi/scsi_lib.c | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
diff -puN drivers/scsi/scsi_lib.c~coverity-i386-scsi_lib-buffer-overrun-fix drivers/scsi/scsi_lib.c
--- 25/drivers/scsi/scsi_lib.c~coverity-i386-scsi_lib-buffer-overrun-fix Fri Jun 24 14:18:52 2005
+++ 25-akpm/drivers/scsi/scsi_lib.c Fri Jun 24 14:18:52 2005
@@ -632,7 +632,7 @@ static void scsi_free_sgtable(struct sca
{
struct scsi_host_sg_pool *sgp;
- BUG_ON(index > SG_MEMPOOL_NR);
+ BUG_ON(index >= SG_MEMPOOL_NR);
sgp = scsi_sg_pools + index;
mempool_free(sgl, sgp->pool);
_
-
: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
