[PATCH] coverity: i386: scsi_lib buffer overrun fix

The check in 627 BUG_ON(index > SG_MEMPOOL_NR); with SG_MEMPOOL_NR defined in 32 #define SG_MEMPOOL_NR (sizeof(scsi_sg_pools)/sizeof(struct scsi_host_sg_pool)) was not sufficient. sgp, set in 629 sgp = scsi_sg_pools + index; is dereferenced in 630 mempool_free(sgl, sgp->pool); Signed-off-by: Zaur Kambarov <zkambarov@coverity.com> Cc: <linux-scsi@vger.kernel.org> Cc: James Bottomley <James.Bottomley@steeleye.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] coverity: i386: scsi_lib buffer overrun fix
The check in 627 BUG_ON(index > SG_MEMPOOL_NR); with SG_MEMPOOL_NR defined in 32 #define SG_MEMPOOL_NR (sizeof(scsi_sg_pools)/sizeof(struct scsi_host_sg_pool)) was not sufficient. sgp, set in 629 sgp = scsi_sg_pools + index; is dereferenced in 630 mempool_free(sgl, sgp->pool); Signed-off-by: Zaur Kambarov <zkambarov@coverity.com> Cc: <linux-scsi@vger.kernel.org> Cc: James Bottomley <James.Bottomley@steeleye.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
a77e3362 · KAMBAROV, ZAUR · Linus Torvalds · a8f50345 · a77e3362
Commit a77e3362 authored Jun 28, 2005 by KAMBAROV, ZAUR Committed by Linus Torvalds Jun 28, 2005
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/scsi/scsi_lib.c drivers/scsi/scsi_lib.c +1 -1

No files found.
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -632,7 +632,7 @@ static void scsi_free_sgtable(struct scatterlist *sgl, int index)
 {
 	struct scsi_host_sg_pool *sgp;

-	BUG_ON(index > SG_MEMPOOL_NR);
+	BUG_ON(index >= SG_MEMPOOL_NR);

 	sgp = scsi_sg_pools + index;
 	mempool_free(sgl, sgp->pool);