diff options
author | Alan <gnomes@lxorguk.ukuu.org.uk> | 2016-02-15 22:01:29 +0300 |
---|---|---|
committer | Martin K. Petersen <martin.petersen@oracle.com> | 2016-02-24 05:27:02 +0300 |
commit | 5b2e0c1befe299fbd570b1a17dec8c5aa367a623 (patch) | |
tree | 6605237094757147637805f26fd2e8de7eb9181b /drivers/scsi/esas2r | |
parent | 5a51a7abca133860a6f4429655a9eda3c4afde32 (diff) | |
download | linux-5b2e0c1befe299fbd570b1a17dec8c5aa367a623.tar.xz |
esas2r: Fix array overrun
Check the array size *before* dereferencing it with a user provided
offset.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Diffstat (limited to 'drivers/scsi/esas2r')
-rw-r--r-- | drivers/scsi/esas2r/esas2r_ioctl.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/scsi/esas2r/esas2r_ioctl.c b/drivers/scsi/esas2r/esas2r_ioctl.c index baf913047b48..3e8483410f61 100644 --- a/drivers/scsi/esas2r/esas2r_ioctl.c +++ b/drivers/scsi/esas2r/esas2r_ioctl.c @@ -1360,14 +1360,15 @@ int esas2r_ioctl_handler(void *hostdata, int cmd, void __user *arg) if (ioctl->header.channel == 0xFF) { a = (struct esas2r_adapter *)hostdata; } else { - a = esas2r_adapters[ioctl->header.channel]; - if (ioctl->header.channel >= MAX_ADAPTERS || (a == NULL)) { + if (ioctl->header.channel >= MAX_ADAPTERS || + esas2r_adapters[ioctl->header.channel] == NULL) { ioctl->header.return_code = IOCTL_BAD_CHANNEL; esas2r_log(ESAS2R_LOG_WARN, "bad channel value"); kfree(ioctl); return -ENOTSUPP; } + a = esas2r_adapters[ioctl->header.channel]; } switch (cmd) { |