Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

esas2r: Fix array overrun

Check the array size *before* dereferencing it with a user provided
offset.

Signed-off-by: Alan Cox <alan@linux.intel.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Alan 9 years ago
parent
5a51a7abca
commit
5b2e0c1bef
1 changed files with 3 additions and 2 deletions
Split View Show Diff Stats
  1. 3 2
      drivers/scsi/esas2r/esas2r_ioctl.c

+ 3 - 2
drivers/scsi/esas2r/esas2r_ioctl.c
View File 

@@ -1360,14 +1360,15 @@ int esas2r_ioctl_handler(void *hostdata, int cmd, void __user *arg)
 
 	if (ioctl->header.channel == 0xFF) {
 
 		a = (struct esas2r_adapter *)hostdata;
 
 	} else {
 
-		a = esas2r_adapters[ioctl->header.channel];
 
-		if (ioctl->header.channel >= MAX_ADAPTERS || (a == NULL)) {
 
+		if (ioctl->header.channel >= MAX_ADAPTERS ||
 
+			esas2r_adapters[ioctl->header.channel] == NULL) {
 
 			ioctl->header.return_code = IOCTL_BAD_CHANNEL;
 
 			esas2r_log(ESAS2R_LOG_WARN, "bad channel value");
 
 			kfree(ioctl);
 
 
 			return -ENOTSUPP;
 
 		}
 
+		a = esas2r_adapters[ioctl->header.channel];
 
 	}
 
 
 	switch (cmd) {