diff mbox

scsi: qedi: off by one in qedi_get_cmd_from_tid()

Message ID 20170825103657.6kwprvwfks7szn3b@mwanda (mailing list archive)
State Accepted, archived
Headers show

Commit Message

Dan Carpenter Aug. 25, 2017, 10:36 a.m. UTC 
The > here should be >= or we end up reading one element beyond the end
of the qedi->itt_map[] array.  The qedi->itt_map[] array is allocated in
qedi_alloc_itt().

Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Comments

Rangankar, Manish Aug. 28, 2017, 5:34 a.m. UTC | #1 
On 25/08/17 4:06 PM, "Dan Carpenter" <dan.carpenter@oracle.com> wrote:

>The > here should be >= or we end up reading one element beyond the end
>of the qedi->itt_map[] array.  The qedi->itt_map[] array is allocated in
>qedi_alloc_itt().
>
>Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI
>driver framework.")
>Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
>diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c
>index c4a470bab4dd..cccc34adc0e0 100644
>--- a/drivers/scsi/qedi/qedi_main.c
>+++ b/drivers/scsi/qedi/qedi_main.c
>@@ -1576,7 +1576,7 @@ struct qedi_cmd *qedi_get_cmd_from_tid(struct
>qedi_ctx *qedi, u32 tid)
> {
> 	struct qedi_cmd *cmd = NULL;
> 
>-	if (tid > MAX_ISCSI_TASK_ENTRIES)
>+	if (tid >= MAX_ISCSI_TASK_ENTRIES)
> 		return NULL;
> 
> 	cmd = qedi->itt_map[tid].p_cmd;

Thanks for the patch.

Acked-by: Manish Rangankar <Manish.Rangankar@cavium.com>


>
Martin K. Petersen Aug. 29, 2017, 2:13 a.m. UTC | #2 
Dan,

> The > here should be >= or we end up reading one element beyond the
> end of the qedi->itt_map[] array.  The qedi->itt_map[] array is
> allocated in qedi_alloc_itt().

Applied to 4.13/scsi-fixes. Thank you!
diff mbox

Patch

diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c
index c4a470bab4dd..cccc34adc0e0 100644
--- a/drivers/scsi/qedi/qedi_main.c
+++ b/drivers/scsi/qedi/qedi_main.c
@@ -1576,7 +1576,7 @@  struct qedi_cmd *qedi_get_cmd_from_tid(struct qedi_ctx *qedi, u32 tid)
 {
 	struct qedi_cmd *cmd = NULL;
 
-	if (tid > MAX_ISCSI_TASK_ENTRIES)
+	if (tid >= MAX_ISCSI_TASK_ENTRIES)
 		return NULL;
 
 	cmd = qedi->itt_map[tid].p_cmd;