From patchwork Thu Jun 16 10:44:34 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 9180465 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id AF4D36075D for ; Thu, 16 Jun 2016 10:44:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A104427248 for ; Thu, 16 Jun 2016 10:44:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9588127DF9; Thu, 16 Jun 2016 10:44:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2098027248 for ; Thu, 16 Jun 2016 10:44:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753892AbcFPKos (ORCPT ); Thu, 16 Jun 2016 06:44:48 -0400 Received: from userp1040.oracle.com ([156.151.31.81]:45297 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752605AbcFPKoq (ORCPT ); Thu, 16 Jun 2016 06:44:46 -0400 Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u5GAihFA025949 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 16 Jun 2016 10:44:43 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0022.oracle.com (8.14.4/8.13.8) with ESMTP id u5GAihZU014632 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 16 Jun 2016 10:44:43 GMT Received: from abhmp0010.oracle.com (abhmp0010.oracle.com [141.146.116.16]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id u5GAigHO014063; Thu, 16 Jun 2016 10:44:43 GMT Received: from mwanda (/154.0.139.178) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 16 Jun 2016 03:44:42 -0700 Date: Thu, 16 Jun 2016 13:44:34 +0300 From: Dan Carpenter To: Anil Gurumurthy Cc: Sudarsana Kalluru , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] bfa: clean up some bounds checking Message-ID: <20160616104434.GB24067@mwanda> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.6.0 (2016-04-01) X-Source-IP: userv0022.oracle.com [156.151.31.74] Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This code is supposed to search ->adapter_hwpath[] and replace the second colon with a NUL character. Unfortunately, the boundary checks that ensure we don't go beyond the end of the buffer have a couple problems. Imagine that the string has no colons. In that case, in the first loop, we read one space beyond the end of the buffer and then exit the loop. In the next loop, we increment once, read two characters beyond the end of the buffer and then exit. Then after the loop we put a NUL character two characters past the end of the buffer. Signed-off-by: Dan Carpenter --- This is from static analysis and not tested. Caveat emptor. -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/scsi/bfa/bfad_bsg.c b/drivers/scsi/bfa/bfad_bsg.c index d1ad020..dfb26f0 100644 --- a/drivers/scsi/bfa/bfad_bsg.c +++ b/drivers/scsi/bfa/bfad_bsg.c @@ -106,10 +106,17 @@ bfad_iocmd_ioc_get_info(struct bfad_s *bfad, void *cmd) /* set adapter hw path */ strcpy(iocmd->adapter_hwpath, bfad->pci_name); - for (i = 0; iocmd->adapter_hwpath[i] != ':' && i < BFA_STRING_32; i++) - ; - for (; iocmd->adapter_hwpath[++i] != ':' && i < BFA_STRING_32; ) - ; + i = -1; + while (++i < BFA_STRING_32) { + if (iocmd->adapter_hwpath[i] == ':') + break; + } + while (++i < BFA_STRING_32) { + if (iocmd->adapter_hwpath[i] == ':') + break; + } + if (i >= BFA_STRING_32) + i = BFA_STRING_32 - 1; iocmd->adapter_hwpath[i] = '\0'; iocmd->status = BFA_STATUS_OK; return 0;