From: "KAMBAROV, ZAUR" <kambarov@xxxxxxxxxxxx>
The check in
627 BUG_ON(index > SG_MEMPOOL_NR);
with SG_MEMPOOL_NR defined in
32 #define SG_MEMPOOL_NR (sizeof(scsi_sg_pools)/sizeof(struct scsi_host_sg_pool))
was not sufficient.
sgp, set in
629 sgp = scsi_sg_pools + index;
is dereferenced in
630 mempool_free(sgl, sgp->pool);
Signed-off-by: Zaur Kambarov <zkambarov@xxxxxxxxxxxx>
Cc: <linux-scsi@xxxxxxxxxxxxxxx>
Cc: James Bottomley <James.Bottomley@xxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---
drivers/scsi/scsi_lib.c | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
diff -puN drivers/scsi/scsi_lib.c~coverity-i386-scsi_lib-buffer-overrun-fix drivers/scsi/scsi_lib.c
--- 25/drivers/scsi/scsi_lib.c~coverity-i386-scsi_lib-buffer-overrun-fix 2005-06-28 19:58:38.000000000 -0700
+++ 25-akpm/drivers/scsi/scsi_lib.c 2005-06-28 19:58:38.000000000 -0700
@@ -632,7 +632,7 @@ static void scsi_free_sgtable(struct sca
{
struct scsi_host_sg_pool *sgp;
- BUG_ON(index > SG_MEMPOOL_NR);
+ BUG_ON(index >= SG_MEMPOOL_NR);
sgp = scsi_sg_pools + index;
mempool_free(sgl, sgp->pool);
_
-
: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
