Commit cbe193f6 authored Jun 03, 2020 by Bean Huo Committed by Martin K. Petersen Jun 15, 2020

scsi: ufs: Fix potential NULL pointer access during memcpy

If param_offset is not 0, the memcpy length shouldn't be the true
descriptor length.

Link: https://lore.kernel.org/r/20200603091959.27618-4-huobean@gmail.com


Acked-by: Avri Altman <avri.altman@wdc.com>
Signed-off-by: Bean Huo <beanhuo@micron.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

parent c4607a09

drivers/scsi/ufs/ufshcd.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -3223,8 +3223,8 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
		}

		/* Check wherher we will not copy more data, than available */
		if (is_kmalloc && param_size > buff_len)
		param_size = buff_len;
		if (is_kmalloc && (param_offset + param_size) > buff_len)
		param_size = buff_len - param_offset;

		if (is_kmalloc)
		memcpy(param_read_buf, &desc_buf[param_offset], param_size);