From patchwork Thu Mar 31 03:51:07 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [05/11] UBUNTU: SAUCE: (drop after 2.6.39) Staging: rts_pstor: fix
 read past end of buffer
Date: Wed, 30 Mar 2011 17:51:07 -0000
From: Keng-Yu Lin <keng-yu.lin@canonical.com>
X-Patchwork-Id: 89013
Message-Id: <1301543473-11146-6-git-send-email-keng-yu.lin@canonical.com>
To: kernel-team@lists.ubuntu.com

From: Dan Carpenter <error27@gmail.com>

We read one space past the end of the buffer because we add 1.

Also I changed it to use ARRAY_SIZE() instead of manually calculating
the size.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

BugLink: http://bugs.launchpad.net/bugs/698006
(cherry picked from commit 7e79f78b331632c1812ce9c07443550aa2b6c0fe)

Signed-off-by: Keng-Yu Lin <keng-yu.lin@canonical.com>

---
drivers/staging/rts_pstor/ms.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/staging/rts_pstor/ms.c b/drivers/staging/rts_pstor/ms.c
index dd59931..a624f40 100644
--- a/drivers/staging/rts_pstor/ms.c
+++ b/drivers/staging/rts_pstor/ms.c
@@ -3361,7 +3361,7 @@ static int ms_rw_multi_sector(struct scsi_cmnd *srb, struct rtsx_chip *chip, u32
 	log_blk = (u16)(start_sector >> ms_card->block_shift);
 	start_page = (u8)(start_sector & ms_card->page_off);
 
-	for (seg_no = 0; seg_no < sizeof(ms_start_idx)/2; seg_no++) {
+	for (seg_no = 0; seg_no < ARRAY_SIZE(ms_start_idx) - 1; seg_no++) {
 		if (log_blk < ms_start_idx[seg_no+1])
 			break;
 	}