[PATCH] bounds/limits fixes (Stanford Checker)

This fixes several trivial bounds/limits errors that were pointed out by the Stanford Checker.

[PATCH] bounds/limits fixes (Stanford Checker)
This fixes several trivial bounds/limits errors that were pointed out by the Stanford Checker.
c66c8088 · Randy Dunlap · Linus Torvalds · 8e33c50d · c66c8088 · c66c8088
Commit c66c8088 authored Feb 10, 2003 by Randy Dunlap Committed by Linus Torvalds Feb 10, 2003
19 changed files
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -345,7 +345,7 @@ static int cciss_open(struct inode *inode, struct file *filep)
 	printk(KERN_DEBUG "cciss_open %x (%x:%x)\n", inode->i_rdev, ctlr, dsk);
 #endif /* CCISS_DEBUG */ 
-	if (ctlr > MAX_CTLR || hba[ctlr] == NULL)
+	if (ctlr >= MAX_CTLR || hba[ctlr] == NULL)
 		return -ENXIO;
 	/*
 	 * Root is allowed to open raw volume zero even if its not configured

--- a/drivers/block/ll_rw_blk.c
+++ b/drivers/block/ll_rw_blk.c
@@ -677,7 +677,7 @@ static char *rq_flags[] = {
 	"REQ_SENSE",
 	"REQ_FAILED",
 	"REQ_QUIET",
-	"REQ_SPECIAL"
+	"REQ_SPECIAL",
 	"REQ_DRIVE_CMD",
 	"REQ_DRIVE_TASK",
 	"REQ_DRIVE_TASKFILE",

--- a/drivers/char/riscom8.c
+++ b/drivers/char/riscom8.c
@@ -1090,7 +1090,7 @@ static int rc_open(struct tty_struct * tty, struct file * filp)
 	unsigned long flags;
 	board = RC_BOARD(minor(tty->device));
-	if (board > RC_NBOARD || !(rc_board[board].flags & RC_BOARD_PRESENT))
+	if (board >= RC_NBOARD || !(rc_board[board].flags & RC_BOARD_PRESENT))
 		return -ENODEV;
 	bp = &rc_board[board];

--- a/drivers/char/sx.c
+++ b/drivers/char/sx.c
@@ -1689,7 +1689,7 @@ static int sx_fw_ioctl (struct inode *inode, struct file *filp,
 	switch (cmd) {
 	case SXIO_SET_BOARD:
 		sx_dprintk (SX_DEBUG_FIRMWARE, "set board to %ld\n", arg);
-		if (arg > SX_NBOARDS) return -EIO;
+		if (arg >= SX_NBOARDS) return -EIO;
 		sx_dprintk (SX_DEBUG_FIRMWARE, "not out of range\n");
 		if (!(boards[arg].flags	& SX_BOARD_PRESENT)) return -EIO;
 		sx_dprintk (SX_DEBUG_FIRMWARE, ".. and present!\n");

--- a/drivers/isdn/hardware/eicon/diva.c
+++ b/drivers/isdn/hardware/eicon/diva.c
@@ -563,10 +563,11 @@ static void diva_init_request_array(void)
 	Requests[31] = DivaIdiRequest31;
 }
+/* card:  1-based card number */
 void diva_xdi_display_adapter_features(int card)
 {
 	dword features;
-	if (!card || ((card - 1) > MAX_ADAPTER) || !IoAdapters[card - 1]) {
+	if (!card || ((card - 1) >= MAX_ADAPTER) || !IoAdapters[card - 1]) {
 		return;
 	}
 	card--;

--- a/drivers/media/dvb/av7110/av7110.c
+++ b/drivers/media/dvb/av7110/av7110.c
@@ -3243,7 +3243,7 @@ StopHWFilter(struct dvb_demux_filter *dvbdmxfilter)
        u16 handle;
        handle=dvbdmxfilter->hw_handle;
-        if (handle>32) {
+        if (handle >= MAXFILT) {
                dprintk("dvb: StopHWFilter tried to stop invalid filter %d.\n",
                       handle);
                dprintk("dvb: filter type = %d\n",  dvbdmxfilter->type);
@@ -4408,7 +4408,7 @@ dvb_register(av7110_t *av7110)
        dvbdemux->priv=(void *) av7110;
        if (av7110->saa->card_type==DVB_CARD_TT_SIEMENS) {
-                for (i=0; i<32; i++)
+                for (i = 0; i < MAXFILT; i++)
                        av7110->handle2filter[i]=NULL;
                dvbdemux->filternum=32;

--- a/drivers/media/dvb/av7110/av7110.h
+++ b/drivers/media/dvb/av7110/av7110.h
@@ -580,7 +580,7 @@ typedef struct av7110_s {
 #define TRICK_FREEZE 3
        struct audio_status      audiostate;
-        struct dvb_demux_filter     *handle2filter[32];
+        struct dvb_demux_filter     *handle2filter[MAXFILT];
        p2t_t                   p2t_filter[MAXFILT];
        dvb_filter_pes2ts_t     p2t[2];
        struct ipack_s          ipack[2];

--- a/drivers/media/video/bttv-cards.c
+++ b/drivers/media/video/bttv-cards.c
@@ -2172,8 +2172,9 @@ static void __devinit hauppauge_eeprom(struct bttv *btv)
 	tuner = eeprom_data[9];
 	radio = eeprom_data[blk2-1] & 0x01;
-        if (tuner < sizeof(hauppauge_tuner)/sizeof(struct HAUPPAUGE_TUNER))
+        if (tuner >= ARRAY_SIZE(hauppauge_tuner))
-                btv->tuner_type = hauppauge_tuner[tuner].id;
+		tuner = 0;
+	btv->tuner_type = hauppauge_tuner[tuner].id;
 	if (radio)
 		btv->has_radio = 1;

--- a/drivers/message/i2o/i2o_core.c
+++ b/drivers/message/i2o/i2o_core.c
@@ -3060,7 +3060,7 @@ void i2o_report_common_status(u8 req_status)
 		"PROGRESS_REPORT"	
 	};
-	if (req_status > I2O_REPLY_STATUS_PROGRESS_REPORT)
+	if (req_status >= ARRAY_SIZE(REPLY_STATUS))
 		printk("RequestStatus = %0#2x", req_status);
 	else
 		printk("%s", REPLY_STATUS[req_status]);

--- a/drivers/net/hamradio/scc.c
+++ b/drivers/net/hamradio/scc.c
@@ -1763,7 +1763,7 @@ static int scc_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
 			if (hwcfg.irq == 2) hwcfg.irq = 9;
-			if (hwcfg.irq <0 || hwcfg.irq > NR_IRQS)
+			if (hwcfg.irq < 0 || hwcfg.irq >= NR_IRQS)
 				return -EINVAL;
 			if (!Ivec[hwcfg.irq].used && hwcfg.irq)

--- a/drivers/net/irda/smc-ircc.c
+++ b/drivers/net/irda/smc-ircc.c
@@ -469,7 +469,7 @@ static int __init ircc_open(unsigned int fir_base, unsigned int sir_base)
 		"firport 0x%03x, sirport 0x%03x dma=%d, irq=%d\n",
 		chip & 0x0f, version, fir_base, sir_base, dma, irq);
-	if (dev_count>DIM(dev_self)) {
+	if (dev_count >= DIM(dev_self)) {
 	        IRDA_DEBUG(0, 
 			   "%s(), to many devices!\n", __FUNCTION__ );
 		return -ENOMEM;

--- a/drivers/net/wireless/orinoco.c
+++ b/drivers/net/wireless/orinoco.c
@@ -3057,7 +3057,7 @@ static int orinoco_ioctl_getrate(struct net_device *dev, struct iw_param *rrq)
 	ratemode = priv->bitratemode;
-	if ( (ratemode < 0) || (ratemode > BITRATE_TABLE_SIZE) )
+	if ( (ratemode < 0) || (ratemode >= BITRATE_TABLE_SIZE) )
 		BUG();
 	rrq->value = bitrate_table[ratemode].bitrate * 100000;

--- a/drivers/pcmcia/i82092.c
+++ b/drivers/pcmcia/i82092.c
@@ -384,7 +384,7 @@ static int card_present(int socketno)
 	unsigned int val;
 	enter("card_present");
-	if ((socketno<0) || (socketno > MAX_SOCKETS))
+	if ((socketno<0) || (socketno >= MAX_SOCKETS))
 		return 0;
 	if (sockets[socketno].io_base == 0)
 		return 0;

--- a/drivers/scsi/aacraid/aachba.c
+++ b/drivers/scsi/aacraid/aachba.c
@@ -1094,7 +1094,7 @@ static int query_disk(struct aac_dev *dev, void *arg)
 		qd.cnum = TARGET_LUN_TO_CONTAINER(qd.target, qd.lun);
 	else if ((qd.bus == -1) && (qd.target == -1) && (qd.lun == -1)) 
 	{
-		if (qd.cnum < 0 || qd.cnum > MAXIMUM_NUM_CONTAINERS)
+		if (qd.cnum < 0 || qd.cnum >= MAXIMUM_NUM_CONTAINERS)
 			return -EINVAL;
 		qd.instance = dev->scsi_host_ptr->host_no;
 		qd.bus = 0;
@@ -1129,7 +1129,7 @@ static int force_delete_disk(struct aac_dev *dev, void *arg)
 	if (copy_from_user(&dd, arg, sizeof (struct aac_delete_disk)))
 		return -EFAULT;
-	if (dd.cnum > MAXIMUM_NUM_CONTAINERS)
+	if (dd.cnum >= MAXIMUM_NUM_CONTAINERS)
 		return -EINVAL;
 	/*
 	 *	Mark this container as being deleted.
@@ -1152,7 +1152,7 @@ static int delete_disk(struct aac_dev *dev, void *arg)
 	if (copy_from_user(&dd, arg, sizeof (struct aac_delete_disk)))
 		return -EFAULT;
-	if (dd.cnum > MAXIMUM_NUM_CONTAINERS)
+	if (dd.cnum >= MAXIMUM_NUM_CONTAINERS)
 		return -EINVAL;
 	/*
 	 *	If the container is locked, it can not be deleted by the API.

--- a/drivers/scsi/aic7xxx/aic79xx_pci.c
+++ b/drivers/scsi/aic7xxx/aic79xx_pci.c
@@ -691,7 +691,7 @@ static const char *pci_status_source[] =
 static const char *split_status_strings[] =
 {
-	"%s: Received split response in %s.\n"
+	"%s: Received split response in %s.\n",
 	"%s: Received split completion error message in %s\n",
 	"%s: Receive overrun in %s\n",
 	"%s: Count not complete in %s\n",

--- a/drivers/scsi/cpqfcTSworker.c
+++ b/drivers/scsi/cpqfcTSworker.c
@@ -448,7 +448,7 @@ void cpqfcTS_WorkTask( struct Scsi_Host *HostAdapter)
      LONG x_ID = fcLQ->Qitem[QconsumerNdx].ulBuff[0];
      BOOLEAN FrozeTach = FALSE;   
-      if( x_ID > TACH_SEST_LEN )  // (in)sanity check
+      if ( x_ID >= TACH_SEST_LEN )  // (in)sanity check
      {
 //	printk( " cpqfcTS ERROR! BOGUS x_ID %Xh", x_ID);
 	break;

--- a/drivers/scsi/dpt_i2o.c
+++ b/drivers/scsi/dpt_i2o.c
@@ -1402,7 +1402,7 @@ static int adpt_i2o_parse_lct(adpt_hba* pHba)
 				printk(KERN_WARNING"%s: Channel number %d out of range \n", pHba->name, bus_no);
 				continue;
 			}
-			if(scsi_id > MAX_ID){
+			if (scsi_id >= MAX_ID){
 				printk(KERN_WARNING"%s: SCSI ID %d out of range \n", pHba->name, bus_no);
 				continue;
 			}
@@ -1476,7 +1476,7 @@ static int adpt_i2o_parse_lct(adpt_hba* pHba)
 				if(bus_no >= MAX_CHANNEL) {	// Something wrong skip it
 					continue;
 				}
-				if(scsi_id > MAX_ID){
+				if (scsi_id >= MAX_ID) {
 					continue;
 				}
 				if( pHba->channel[bus_no].device[scsi_id] == NULL){

--- a/fs/devfs/base.c
+++ b/fs/devfs/base.c
@@ -1169,7 +1169,7 @@ static devfs_handle_t _devfs_make_parent_for_leaf (struct devfs_entry *dir,
    *leaf_pos = (name[namelen] == '/') ? (namelen + 1) : 0;
    for (; namelen > 0; name += next_pos, namelen -= next_pos)
    {
-	struct devfs_entry *de, *old;
+	struct devfs_entry *de, *old = NULL;
 	if ( ( de = _devfs_descend (dir, name, namelen, &next_pos) ) == NULL )
 	{

--- a/net/irda/qos.c
+++ b/net/irda/qos.c
@@ -722,8 +722,8 @@ __u32 irlap_max_line_capacity(__u32 speed, __u32 max_turn_time)
 	i = value_index(speed, baud_rates, 10);
 	j = value_index(max_turn_time, max_turn_times, 4);
-	ASSERT(((i >=0) && (i <=10)), return 0;);
+	ASSERT(((i >=0) && (i <10)), return 0;);
-	ASSERT(((j >=0) && (j <=4)), return 0;);
+	ASSERT(((j >=0) && (j <4)), return 0;);
 	line_capacity = max_line_capacities[i][j];