[PATCH] coverity: i386: scsi_lib buffer overrun fix The check in 627 BUG_ON(index > SG_MEMPOOL_NR); with SG_MEMPOOL_NR defined in 32 #define SG_MEMPOOL_NR (sizeof(scsi_sg_pools)/sizeof(struct scsi_host_sg_pool)) was not sufficient. sgp, set in 629 sgp = scsi_sg_pools + index; is dereferenced in 630 mempool_free(sgl, sgp->pool); Signed-off-by: Zaur Kambarov <zkambarov@coverity.com> Cc: <linux-scsi@vger.kernel.org> Cc: James Bottomley <James.Bottomley@steeleye.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

commit: a77e3362a224212d9d3b9e6fdec44df2eef6cf92 [log] [tgz]
author: KAMBAROV, ZAUR <kambarov@berkeley.edu> Tue Jun 28 20:45:06 2005 -0700
committer: Linus Torvalds <torvalds@ppc970.osdl.org> Tue Jun 28 21:20:33 2005 -0700
tree: 5ebf2ebc3df91674101b6a5591753ee1d999abea
parent: a8f5034540195307362d071a8b387226b410469f [diff] [blame]
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 621dee8..10506f9 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c

@@ -632,7 +632,7 @@
 {
 	struct scsi_host_sg_pool *sgp;
 
-	BUG_ON(index > SG_MEMPOOL_NR);
+	BUG_ON(index >= SG_MEMPOOL_NR);
 
 	sgp = scsi_sg_pools + index;
 	mempool_free(sgl, sgp->pool);
commit	a77e3362a224212d9d3b9e6fdec44df2eef6cf92	[log] [tgz]
author	KAMBAROV, ZAUR <kambarov@berkeley.edu>	Tue Jun 28 20:45:06 2005 -0700
committer	Linus Torvalds <torvalds@ppc970.osdl.org>	Tue Jun 28 21:20:33 2005 -0700
tree	5ebf2ebc3df91674101b6a5591753ee1d999abea
parent	a8f5034540195307362d071a8b387226b410469f [diff] [blame]