Re: [PATCH v3 44/77] ncr5380: Fix off-by-one bug in extended_msg[] bounds check

2015-12-21 Thread Hannes Reinecke 

On 12/22/2015 02:18 AM, Finn Thain wrote:

Fix the array bounds check when transferring an extended message from the
target.

Signed-off-by: Finn Thain 

---
  drivers/scsi/NCR5380.c   |3 ++-
  drivers/scsi/atari_NCR5380.c |4 ++--
  2 files changed, 4 insertions(+), 3 deletions(-)


Reviewed-by: Hannes Reinecke 

Cheers,

Hannes
--
Dr. Hannes Reinecke   zSeries & Storage
h...@suse.de  +49 911 74053 688
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: J. Hawn, J. Guild, F. Imendörffer, HRB 16746 (AG Nürnberg)
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH v3 44/77] ncr5380: Fix off-by-one bug in extended_msg[] bounds check

2015-12-21 Thread Finn Thain 
Fix the array bounds check when transferring an extended message from the
target.

Signed-off-by: Finn Thain 

---
 drivers/scsi/NCR5380.c   |3 ++-
 drivers/scsi/atari_NCR5380.c |4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

Index: linux/drivers/scsi/NCR5380.c
===
--- linux.orig/drivers/scsi/NCR5380.c   2015-12-22 12:16:35.0 +1100
+++ linux/drivers/scsi/NCR5380.c2015-12-22 12:16:36.0 +1100
@@ -2039,7 +2039,8 @@ static void NCR5380_information_transfer
 
dprintk(NDEBUG_EXTENDED, "scsi%d : 
length=%d, code=0x%02x\n", instance->host_no, (int) extended_msg[1], (int) 
extended_msg[2]);
 
-   if (!len && extended_msg[1] <= 
(sizeof(extended_msg) - 1)) {
+   if (!len && extended_msg[1] > 0 &&
+   extended_msg[1] <= 
sizeof(extended_msg) - 2) {
/* Accept third byte by 
clearing ACK */

NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE);
len = extended_msg[1] - 1;
Index: linux/drivers/scsi/atari_NCR5380.c
===
--- linux.orig/drivers/scsi/atari_NCR5380.c 2015-12-22 12:16:35.0 
+1100
+++ linux/drivers/scsi/atari_NCR5380.c  2015-12-22 12:16:36.0 +1100
@@ -2330,8 +2330,8 @@ static void NCR5380_information_transfer
dprintk(NDEBUG_EXTENDED, "scsi%d: 
length=%d, code=0x%02x\n", HOSTNO,
   (int)extended_msg[1], 
(int)extended_msg[2]);
 
-   if (!len && extended_msg[1] <=
-   (sizeof(extended_msg) - 1)) {
+   if (!len && extended_msg[1] > 0 &&
+   extended_msg[1] <= 
sizeof(extended_msg) - 2) {
/* Accept third byte by 
clearing ACK */

NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE);
len = extended_msg[1] - 1;


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH v3 44/77] ncr5380: Fix off-by-one bug in extended_msg[] bounds check

2015-12-21 Thread Finn Thain 
Fix the array bounds check when transferring an extended message from the
target.

Signed-off-by: Finn Thain 

---
 drivers/scsi/NCR5380.c   |3 ++-
 drivers/scsi/atari_NCR5380.c |4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

Index: linux/drivers/scsi/NCR5380.c
===
--- linux.orig/drivers/scsi/NCR5380.c   2015-12-22 12:16:35.0 +1100
+++ linux/drivers/scsi/NCR5380.c2015-12-22 12:16:36.0 +1100
@@ -2039,7 +2039,8 @@ static void NCR5380_information_transfer
 
dprintk(NDEBUG_EXTENDED, "scsi%d : 
length=%d, code=0x%02x\n", instance->host_no, (int) extended_msg[1], (int) 
extended_msg[2]);
 
-   if (!len && extended_msg[1] <= 
(sizeof(extended_msg) - 1)) {
+   if (!len && extended_msg[1] > 0 &&
+   extended_msg[1] <= 
sizeof(extended_msg) - 2) {
/* Accept third byte by 
clearing ACK */

NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE);
len = extended_msg[1] - 1;
Index: linux/drivers/scsi/atari_NCR5380.c
===
--- linux.orig/drivers/scsi/atari_NCR5380.c 2015-12-22 12:16:35.0 
+1100
+++ linux/drivers/scsi/atari_NCR5380.c  2015-12-22 12:16:36.0 +1100
@@ -2330,8 +2330,8 @@ static void NCR5380_information_transfer
dprintk(NDEBUG_EXTENDED, "scsi%d: 
length=%d, code=0x%02x\n", HOSTNO,
   (int)extended_msg[1], 
(int)extended_msg[2]);
 
-   if (!len && extended_msg[1] <=
-   (sizeof(extended_msg) - 1)) {
+   if (!len && extended_msg[1] > 0 &&
+   extended_msg[1] <= 
sizeof(extended_msg) - 2) {
/* Accept third byte by 
clearing ACK */

NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE);
len = extended_msg[1] - 1;


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH v3 44/77] ncr5380: Fix off-by-one bug in extended_msg[] bounds check

2015-12-21 Thread Hannes Reinecke 

On 12/22/2015 02:18 AM, Finn Thain wrote:

Fix the array bounds check when transferring an extended message from the
target.

Signed-off-by: Finn Thain 

---
  drivers/scsi/NCR5380.c   |3 ++-
  drivers/scsi/atari_NCR5380.c |4 ++--
  2 files changed, 4 insertions(+), 3 deletions(-)


Reviewed-by: Hannes Reinecke 

Cheers,

Hannes
--
Dr. Hannes Reinecke   zSeries & Storage
h...@suse.de  +49 911 74053 688
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: J. Hawn, J. Guild, F. Imendörffer, HRB 16746 (AG Nürnberg)
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/