'cnt' can exceed the size of the risc_ram[] array. Prevent that Coverity complains by rewriting an address calculation expression. This patch fixes the following Coverity complaint: CID 337803 (#1 of 1): Out-of-bounds read (OVERRUN) 109. overrun-local: Overrunning array of 122880 bytes at byte offset 122880 by dereferencing pointer &fw->risc_ram[cnt]. Reviewed-by: Daniel Wagner <dwagner@xxxxxxx> Cc: Nilesh Javali <njavali@xxxxxxxxxxx> Cc: Quinn Tran <qutran@xxxxxxxxxxx> Cc: Himanshu Madhani <himanshu.madhani@xxxxxxxxxx> Cc: Martin Wilck <mwilck@xxxxxxxx> Cc: Roman Bolshakov <r.bolshakov@xxxxxxxxx> Signed-off-by: Bart Van Assche <bvanassche@xxxxxxx> --- drivers/scsi/qla2xxx/qla_dbg.c | 2 +- drivers/scsi/qla2xxx/qla_dbg.h | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/qla2xxx/qla_dbg.c b/drivers/scsi/qla2xxx/qla_dbg.c index 19005710f7f6..41493bd53fc0 100644 --- a/drivers/scsi/qla2xxx/qla_dbg.c +++ b/drivers/scsi/qla2xxx/qla_dbg.c @@ -1063,7 +1063,7 @@ qla2100_fw_dump(scsi_qla_host_t *vha) } if (rval == QLA_SUCCESS) - qla2xxx_copy_queues(ha, &fw->risc_ram[cnt]); + qla2xxx_copy_queues(ha, &fw->queue_dump[0]); qla2xxx_dump_post_process(base_vha, rval); } diff --git a/drivers/scsi/qla2xxx/qla_dbg.h b/drivers/scsi/qla2xxx/qla_dbg.h index 54ed020e6f75..91eb6901815c 100644 --- a/drivers/scsi/qla2xxx/qla_dbg.h +++ b/drivers/scsi/qla2xxx/qla_dbg.h @@ -53,6 +53,7 @@ struct qla2100_fw_dump { __be16 fpm_b0_reg[64]; __be16 fpm_b1_reg[64]; __be16 risc_ram[0xf000]; + u8 queue_dump[]; }; struct qla24xx_fw_dump {