From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Nicholas A. Bellinger" Subject: [PATCH 1/9] ib_srpt: Fix potential out-of-bounds array access Date: Mon, 24 Oct 2011 05:33:34 +0000 Message-ID: <1319434422-15354-2-git-send-email-nab@linux-iscsi.org> References: <1319434422-15354-1-git-send-email-nab@linux-iscsi.org> Return-path: In-Reply-To: <1319434422-15354-1-git-send-email-nab@linux-iscsi.org> Sender: linux-scsi-owner@vger.kernel.org To: target-devel , linux-rdma Cc: linux-scsi , Roland Dreier , Bart Van Assche , "Nicholas A. Bellinger" List-Id: linux-rdma@vger.kernel.org From: Bart Van Assche This patch fixes a potential out-of-bounds array access in srpt_map_sg_to_ib_sge(). This is bugfix port from SCST svn r3262 as recommended by Bart Van Assche for the initial ib_srpt merge. Cc: Bart Van Assche Cc: Roland Dreier Signed-off-by: Nicholas A. Bellinger --- drivers/infiniband/ulp/srpt/ib_srpt.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c index e412a35..383994d 100644 --- a/drivers/infiniband/ulp/srpt/ib_srpt.c +++ b/drivers/infiniband/ulp/srpt/ib_srpt.c @@ -1142,7 +1142,8 @@ static int srpt_map_sg_to_ib_sge(struct srpt_rdma_ch *ch, if (ioctx->rdma_ius && ioctx->n_rdma_ius) nrdma = ioctx->n_rdma_ius; else { - nrdma = count / SRPT_DEF_SG_PER_WQE + ioctx->n_rbuf; + nrdma = (count + SRPT_DEF_SG_PER_WQE - 1) / SRPT_DEF_SG_PER_WQE + + ioctx->n_rbuf; ioctx->rdma_ius = kzalloc(nrdma * sizeof *riu, GFP_KERNEL); if (!ioctx->rdma_ius) @@ -1258,11 +1259,11 @@ static int srpt_map_sg_to_ib_sge(struct srpt_rdma_ch *ch, } ++k; - if (k == riu->sge_cnt && rsize > 0) { + if (k == riu->sge_cnt && rsize > 0 && tsize > 0) { ++riu; sge = riu->sge; k = 0; - } else if (rsize > 0) + } else if (rsize > 0 && tsize > 0) ++sge; } } -- 1.7.2.5