Message ID | 20170804081733.ujuulvyh4nwgdl6n@mwanda (mailing list archive) |
---|---|
State | Accepted, archived |
Headers | show |
Dan, > If i is negative then it's less than OS_FM_TAB_MAX so we read before > the start of the STp->header_cache->dat_fm_tab.fm_tab_ent[] array. Applied to 4.14/scsi-queue. Thanks!
diff --git a/drivers/scsi/osst.c b/drivers/scsi/osst.c index 97ab5f160bc6..2db87ec04f48 100644 --- a/drivers/scsi/osst.c +++ b/drivers/scsi/osst.c @@ -619,7 +619,7 @@ static int osst_verify_frame(struct osst_tape * STp, int frame_seq_number, int q os_aux_t * aux = STp->buffer->aux; os_partition_t * par = &(aux->partition); struct st_partstat * STps = &(STp->ps[STp->partition]); - int blk_cnt, blk_sz, i; + unsigned int blk_cnt, blk_sz, i; if (STp->raw) { if (STp->buffer->syscall_result) {
The code looks like this: i = ntohl(aux->filemark_cnt); if (STp->header_cache != NULL && i < OS_FM_TAB_MAX && (i > STp->filemark_cnt || STp->first_frame_position - 1 != ntohl(STp->header_cache->dat_fm_tab.fm_tab_ent[i]))) { If i is negative then it's less than OS_FM_TAB_MAX so we read before the start of the STp->header_cache->dat_fm_tab.fm_tab_ent[] array. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- There is a second static checker warning that I didn't know how to address: drivers/scsi/osst.c:723 osst_verify_frame() warn: potential integer overflow from user 'blk_cnt * blk_sz'