'cnt' can exceed the size of the risc_ram[] array. Prevent that Coverity complains by rewriting an address calculation expression. This patch fixes the following Coverity complaint: CID 337803 (#1 of 1): Out-of-bounds read (OVERRUN) 109. overrun-local: Overrunning array of 122880 bytes at byte offset 122880 by dereferencing pointer &fw->risc_ram[cnt]. Cc: Nilesh Javali <njavali@xxxxxxxxxxx> Cc: Quinn Tran <qutran@xxxxxxxxxxx> Cc: Himanshu Madhani <himanshu.madhani@xxxxxxxxxx> Cc: Daniel Wagner <dwagner@xxxxxxx> Cc: Martin Wilck <mwilck@xxxxxxxx> Cc: Roman Bolshakov <r.bolshakov@xxxxxxxxx> Signed-off-by: Bart Van Assche <bvanassche@xxxxxxx> --- drivers/scsi/qla2xxx/qla_dbg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/qla2xxx/qla_dbg.c b/drivers/scsi/qla2xxx/qla_dbg.c index 2ed0b849fbfe..5e873b70e843 100644 --- a/drivers/scsi/qla2xxx/qla_dbg.c +++ b/drivers/scsi/qla2xxx/qla_dbg.c @@ -1063,7 +1063,8 @@ qla2100_fw_dump(scsi_qla_host_t *vha) } if (rval == QLA_SUCCESS) - qla2xxx_copy_queues(ha, &fw->risc_ram[cnt]); + qla2xxx_copy_queues(ha, (char *)fw + + offsetof(typeof(*fw), risc_ram) + cnt); qla2xxx_dump_post_process(base_vha, rval); }
