From: Roel Kluin <roel.kluin@xxxxxxxxx> This allows i == MAX_INT_PARAM, which is out of range for ints[] Found with Parfait, http://research.sun.com/projects/parfait/ Signed-off-by: Roel Kluin <roel.kluin@xxxxxxxxx> Cc: Dario Ballabio <ballabio_dario@xxxxxxx> Cc: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- drivers/scsi/u14-34f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff -puN drivers/scsi/u14-34f.c~drivers-scsi-u14-34fc-fix-uffer-overflow drivers/scsi/u14-34f.c --- a/drivers/scsi/u14-34f.c~drivers-scsi-u14-34fc-fix-uffer-overflow +++ a/drivers/scsi/u14-34f.c @@ -1070,7 +1070,7 @@ static int option_setup(char *str) { char *cur = str; int i = 1; - while (cur && isdigit(*cur) && i <= MAX_INT_PARAM) { + while (cur && isdigit(*cur) && i < MAX_INT_PARAM) { ints[i++] = simple_strtoul(cur, NULL, 0); if ((cur = strchr(cur, ',')) != NULL) cur++; _ -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
