[patch] [SCSI] tcm_loop: off by one in tcm_loop_make_naa

public inbox for kernel-janitors@vger.kernel.org
 help / color / mirror / Atom feed

* [patch] [SCSI] tcm_loop: off by one in tcm_loop_make_naa_tpg()
@ 2011-03-29  3:18 Dan Carpenter
  2011-04-02 21:01 ` Nicholas A. Bellinger
  0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2011-03-29  3:18 UTC (permalink / raw)
  To: Nicholas A. Bellinger
  Cc: James Bottomley, Christoph Hellwig, linux-kernel, kernel-janitors

This is an off by one that could result in memory corruption.

Signed-off-by: Dan Carpenter <error27@gmail.com>

diff --git a/drivers/target/loopback/tcm_loop.c b/drivers/target/loopback/tcm_loop.c
index aed4e46..2bb5062 100644
--- a/drivers/target/loopback/tcm_loop.c
+++ b/drivers/target/loopback/tcm_loop.c
@@ -1239,7 +1239,7 @@ struct se_portal_group *tcm_loop_make_naa_tpg(
 	tpgt_str += 5; /* Skip ahead of "tpgt_" */
 	tpgt = (unsigned short int) simple_strtoul(tpgt_str, &end_ptr, 0);
 
-	if (tpgt > TL_TPGS_PER_HBA) {
+	if (tpgt >= TL_TPGS_PER_HBA) {
 		printk(KERN_ERR "Passed tpgt: %hu exceeds TL_TPGS_PER_HBA:"
 				" %u\n", tpgt, TL_TPGS_PER_HBA);
 		return ERR_PTR(-EINVAL);

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [patch] [SCSI] tcm_loop: off by one in tcm_loop_make_naa_tpg()
  2011-03-29  3:18 [patch] [SCSI] tcm_loop: off by one in tcm_loop_make_naa_tpg() Dan Carpenter
@ 2011-04-02 21:01 ` Nicholas A. Bellinger
  0 siblings, 0 replies; 2+ messages in thread
From: Nicholas A. Bellinger @ 2011-04-02 21:01 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: James Bottomley, Christoph Hellwig, linux-kernel, kernel-janitors

On Tue, 2011-03-29 at 06:18 +0300, Dan Carpenter wrote:
> This is an off by one that could result in memory corruption.
> 
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> 

Hi Dan,

Apologies for the delayed response on here..

This has been included as commit fb9b35be into lio-core-2.6.git/lio-4.1
@ .39-rc1, and will get this queued to James as a 'for-39' mainline
bugfix item.

Thank you!

--nab

> diff --git a/drivers/target/loopback/tcm_loop.c b/drivers/target/loopback/tcm_loop.c
> index aed4e46..2bb5062 100644
> --- a/drivers/target/loopback/tcm_loop.c
> +++ b/drivers/target/loopback/tcm_loop.c
> @@ -1239,7 +1239,7 @@ struct se_portal_group *tcm_loop_make_naa_tpg(
>  	tpgt_str += 5; /* Skip ahead of "tpgt_" */
>  	tpgt = (unsigned short int) simple_strtoul(tpgt_str, &end_ptr, 0);
>  
> -	if (tpgt > TL_TPGS_PER_HBA) {
> +	if (tpgt >= TL_TPGS_PER_HBA) {
>  		printk(KERN_ERR "Passed tpgt: %hu exceeds TL_TPGS_PER_HBA:"
>  				" %u\n", tpgt, TL_TPGS_PER_HBA);
>  		return ERR_PTR(-EINVAL);

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-04-02 21:01 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-03-29  3:18 [patch] [SCSI] tcm_loop: off by one in tcm_loop_make_naa_tpg() Dan Carpenter
2011-04-02 21:01 ` Nicholas A. Bellinger

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox