Date: Tue, 26 Apr 2016 22:01:07 +0000 (UTC) From: "Conrad E. Meyer" <cem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r298670 - head/sys/dev/ciss Message-ID: <201604262201.u3QM17UX066414@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cem Date: Tue Apr 26 22:01:07 2016 New Revision: 298670 URL: https://svnweb.freebsd.org/changeset/base/298670 Log: ciss(4): Fix overrun of array The softc member 'ciss_logical' is an array of 'ciss_max_logical_bus' members. Most of the time it is iterated correctly. This patch fixes the two instances where the driver iterated off the end of the array. Reported by: Coverity CID: 1305492 Sponsored by: EMC / Isilon Storage Division Modified: head/sys/dev/ciss/ciss.c Modified: head/sys/dev/ciss/ciss.c ============================================================================== --- head/sys/dev/ciss/ciss.c Tue Apr 26 21:44:08 2016 (r298669) +++ head/sys/dev/ciss/ciss.c Tue Apr 26 22:01:07 2016 (r298670) @@ -1431,7 +1431,7 @@ ciss_init_logical(struct ciss_softc *sc) goto out; } - for (i = 0; i <= sc->ciss_max_logical_bus; i++) { + for (i = 0; i < sc->ciss_max_logical_bus; i++) { sc->ciss_logical[i] = malloc(sc->ciss_cfg->max_logical_supported * sizeof(struct ciss_ldrive), @@ -2030,7 +2030,7 @@ ciss_free(struct ciss_softc *sc) if (sc->ciss_parent_dmat) bus_dma_tag_destroy(sc->ciss_parent_dmat); if (sc->ciss_logical) { - for (i = 0; i <= sc->ciss_max_logical_bus; i++) { + for (i = 0; i < sc->ciss_max_logical_bus; i++) { for (j = 0; j < sc->ciss_cfg->max_logical_supported; j++) { if (sc->ciss_logical[i][j].cl_ldrive) free(sc->ciss_logical[i][j].cl_ldrive, CISS_MALLOC_CLASS);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201604262201.u3QM17UX066414>