Commit 5b2e0c1b authored by Alan's avatar Alan Committed by Martin K. Petersen
Browse files

esas2r: Fix array overrun 



Check the array size *before* dereferencing it with a user provided
offset.

Signed-off-by: default avatarAlan Cox <alan@linux.intel.com>
Reviewed-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: default avatarTomas Henzl <thenzl@redhat.com>
Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
parent 5a51a7ab

drivers/scsi/esas2r/esas2r_ioctl.c

+3 −2
Original line number Diff line number Diff line
@@ -1360,14 +1360,15 @@ int esas2r_ioctl_handler(void *hostdata, int cmd, void __user *arg) 
	if (ioctl->header.channel == 0xFF) {

		a = (struct esas2r_adapter *)hostdata;

	} else {

		a = esas2r_adapters[ioctl->header.channel];

		if (ioctl->header.channel >= MAX_ADAPTERS || (a == NULL)) {

		if (ioctl->header.channel >= MAX_ADAPTERS ||

			esas2r_adapters[ioctl->header.channel] == NULL) {

			ioctl->header.return_code = IOCTL_BAD_CHANNEL;

			esas2r_log(ESAS2R_LOG_WARN, "bad channel value");

			kfree(ioctl);



			return -ENOTSUPP;

		}

		a = esas2r_adapters[ioctl->header.channel];

	}



	switch (cmd) {