[PATCH] staging: rts_pstor: fix read past end of buffer
From: wei_wang
Date: Wed Feb 09 2011 - 22:39:45 EST
From: wwang <wei_wang@xxxxxxxxxxxxxx>
Thanks Dan Carpenter <error27@xxxxxxxxx> who helps to find this bug.
There are two places where we read one space past the end of buffer.
Signed-off-by: wwang <wei_wang@xxxxxxxxxxxxxx>
---
drivers/staging/rts_pstor/ms.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/staging/rts_pstor/ms.c b/drivers/staging/rts_pstor/ms.c
index dd59931..28d17c7 100644
--- a/drivers/staging/rts_pstor/ms.c
+++ b/drivers/staging/rts_pstor/ms.c
@@ -3361,8 +3361,8 @@ static int ms_rw_multi_sector(struct scsi_cmnd *srb, struct rtsx_chip *chip, u32
log_blk = (u16)(start_sector >> ms_card->block_shift);
start_page = (u8)(start_sector & ms_card->page_off);
- for (seg_no = 0; seg_no < sizeof(ms_start_idx)/2; seg_no++) {
- if (log_blk < ms_start_idx[seg_no+1])
+ for (seg_no = 0; seg_no < ARRAY_SIZE(ms_start_idx) - 1; seg_no++) {
+ if (log_blk < ms_start_idx[seg_no + 1])
break;
}
@@ -3494,8 +3494,8 @@ static int ms_rw_multi_sector(struct scsi_cmnd *srb, struct rtsx_chip *chip, u32
log_blk++;
- for (seg_no = 0; seg_no < sizeof(ms_start_idx)/2; seg_no++) {
- if (log_blk < ms_start_idx[seg_no+1])
+ for (seg_no = 0; seg_no < ARRAY_SIZE(ms_start_idx) - 1; seg_no++) {
+ if (log_blk < ms_start_idx[seg_no + 1])
break;
}
--
1.7.4
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/