From: wwang <[email protected]> Thanks Dan Carpenter <[email protected]> who helps to find this bug. There are two places where we read one space past the end of buffer.
Signed-off-by: wwang <[email protected]> --- drivers/staging/rts_pstor/ms.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/staging/rts_pstor/ms.c b/drivers/staging/rts_pstor/ms.c index dd59931..28d17c7 100644 --- a/drivers/staging/rts_pstor/ms.c +++ b/drivers/staging/rts_pstor/ms.c @@ -3361,8 +3361,8 @@ static int ms_rw_multi_sector(struct scsi_cmnd *srb, struct rtsx_chip *chip, u32 log_blk = (u16)(start_sector >> ms_card->block_shift); start_page = (u8)(start_sector & ms_card->page_off); - for (seg_no = 0; seg_no < sizeof(ms_start_idx)/2; seg_no++) { - if (log_blk < ms_start_idx[seg_no+1]) + for (seg_no = 0; seg_no < ARRAY_SIZE(ms_start_idx) - 1; seg_no++) { + if (log_blk < ms_start_idx[seg_no + 1]) break; } @@ -3494,8 +3494,8 @@ static int ms_rw_multi_sector(struct scsi_cmnd *srb, struct rtsx_chip *chip, u32 log_blk++; - for (seg_no = 0; seg_no < sizeof(ms_start_idx)/2; seg_no++) { - if (log_blk < ms_start_idx[seg_no+1]) + for (seg_no = 0; seg_no < ARRAY_SIZE(ms_start_idx) - 1; seg_no++) { + if (log_blk < ms_start_idx[seg_no + 1]) break; } -- 1.7.4 _______________________________________________ devel mailing list [email protected] http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
