Patchwork [05/11] UBUNTU: SAUCE: (drop after 2.6.39) Staging: rts_pstor: fix read past end of buffer

login
register
mail settings
Submitter Keng-Yu Lin
Date March 31, 2011, 3:51 a.m.
Message ID <1301543473-11146-6-git-send-email-keng-yu.lin@canonical.com>
Download mbox | patch
Permalink /patch/89013/
State New
Headers show

Comments

Keng-Yu Lin - March 31, 2011, 3:51 a.m.
From: Dan Carpenter <error27@gmail.com>

We read one space past the end of the buffer because we add 1.

Also I changed it to use ARRAY_SIZE() instead of manually calculating
the size.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

BugLink: http://bugs.launchpad.net/bugs/698006
(cherry picked from commit 7e79f78b331632c1812ce9c07443550aa2b6c0fe)

Signed-off-by: Keng-Yu Lin <keng-yu.lin@canonical.com>
---
 drivers/staging/rts_pstor/ms.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

Patch

diff --git a/drivers/staging/rts_pstor/ms.c b/drivers/staging/rts_pstor/ms.c
index dd59931..a624f40 100644
--- a/drivers/staging/rts_pstor/ms.c
+++ b/drivers/staging/rts_pstor/ms.c
@@ -3361,7 +3361,7 @@  static int ms_rw_multi_sector(struct scsi_cmnd *srb, struct rtsx_chip *chip, u32
 	log_blk = (u16)(start_sector >> ms_card->block_shift);
 	start_page = (u8)(start_sector & ms_card->page_off);
 
-	for (seg_no = 0; seg_no < sizeof(ms_start_idx)/2; seg_no++) {
+	for (seg_no = 0; seg_no < ARRAY_SIZE(ms_start_idx) - 1; seg_no++) {
 		if (log_blk < ms_start_idx[seg_no+1])
 			break;
 	}