On Mon, Feb 15, 2016 at 07:01:29PM +0000, Alan wrote:
> Check the array size *before* dereferencing it with a user provided offset
>
> Signed-off-by: Alan Cox <alan@xxxxxxxxxxxxxxx>
> ---
> drivers/scsi/esas2r/esas2r_ioctl.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/scsi/esas2r/esas2r_ioctl.c b/drivers/scsi/esas2r/esas2r_ioctl.c
> index baf9130..3e84834 100644
> --- a/drivers/scsi/esas2r/esas2r_ioctl.c
> +++ b/drivers/scsi/esas2r/esas2r_ioctl.c
> @@ -1360,14 +1360,15 @@ int esas2r_ioctl_handler(void *hostdata, int cmd, void __user *arg)
> if (ioctl->header.channel == 0xFF) {
> a = (struct esas2r_adapter *)hostdata;
> } else {
> - a = esas2r_adapters[ioctl->header.channel];
> - if (ioctl->header.channel >= MAX_ADAPTERS || (a == NULL)) {
> + if (ioctl->header.channel >= MAX_ADAPTERS ||
> + esas2r_adapters[ioctl->header.channel] == NULL) {
> ioctl->header.return_code = IOCTL_BAD_CHANNEL;
> esas2r_log(ESAS2R_LOG_WARN, "bad channel value");
> kfree(ioctl);
>
> return -ENOTSUPP;
> }
> + a = esas2r_adapters[ioctl->header.channel];
> }
>
> switch (cmd) {
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
Reviewed-by: Johannes Thumshirn <jthumshirn@xxxxxxx>
--
Johannes Thumshirn Storage
jthumshirn@xxxxxxx +49 911 74053 689
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)
Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
