lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1297309084-19839-1-git-send-email-wei_wang@realsil.com.cn>
Date:	Thu, 10 Feb 2011 11:38:04 +0800
From:	<wei_wang@...lsil.com.cn>
To:	<gregkh@...e.de>, <devel@...uxdriverproject.org>,
	<linux-kernel@...r.kernel.org>
CC:	wwang <wei_wang@...lsil.com.cn>
Subject: [PATCH] staging: rts_pstor: fix read past end of buffer

From: wwang <wei_wang@...lsil.com.cn>

Thanks Dan Carpenter <error27@...il.com> who helps to find this bug.
There are two places where we read one space past the end of buffer.

Signed-off-by: wwang <wei_wang@...lsil.com.cn>
---
 drivers/staging/rts_pstor/ms.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/staging/rts_pstor/ms.c b/drivers/staging/rts_pstor/ms.c
index dd59931..28d17c7 100644
--- a/drivers/staging/rts_pstor/ms.c
+++ b/drivers/staging/rts_pstor/ms.c
@@ -3361,8 +3361,8 @@ static int ms_rw_multi_sector(struct scsi_cmnd *srb, struct rtsx_chip *chip, u32
 	log_blk = (u16)(start_sector >> ms_card->block_shift);
 	start_page = (u8)(start_sector & ms_card->page_off);
 
-	for (seg_no = 0; seg_no < sizeof(ms_start_idx)/2; seg_no++) {
-		if (log_blk < ms_start_idx[seg_no+1])
+	for (seg_no = 0; seg_no < ARRAY_SIZE(ms_start_idx) - 1; seg_no++) {
+		if (log_blk < ms_start_idx[seg_no + 1])
 			break;
 	}
 
@@ -3494,8 +3494,8 @@ static int ms_rw_multi_sector(struct scsi_cmnd *srb, struct rtsx_chip *chip, u32
 
 		log_blk++;
 
-		for (seg_no = 0; seg_no < sizeof(ms_start_idx)/2; seg_no++) {
-			if (log_blk < ms_start_idx[seg_no+1])
+		for (seg_no = 0; seg_no < ARRAY_SIZE(ms_start_idx) - 1; seg_no++) {
+			if (log_blk < ms_start_idx[seg_no + 1])
 				break;
 		}
 
-- 
1.7.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ