drivers/ide/pci/cs5535.c: array overrun

drivers/ide/pci/cs5535.c: array overrun

[Adrian Bunk]

The Coverity checker spotted the following array overrun in 
drivers/ide/pci/cs5535.c:

<--  snip  -->

...
static unsigned int cs5535_udma_timings[5] =
{ 0x7F7436A1, 0x7F733481, 0x7F723261, 0x7F713161, 0x7F703061 };
...
static void cs5535_set_speed(ide_drive_t *drive, u8 speed)
{
...
                if (speed >= XFER_UDMA_0 && speed <= XFER_UDMA_7)
                        reg |= cs5535_udma_timings[speed - XFER_UDMA_0];
...

<--  snip  -->

XFER_UDMA_7 - XFER_UDMA_0 = 7  >  (5 - 1)

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Re: drivers/ide/pci/cs5535.c: array overrun

[Jordan Crouse]

[-- Attachment #1: Type: text/plain, Size: 411 bytes --]

> The Coverity checker spotted the following array overrun in 
> drivers/ide/pci/cs5535.c:

<-- snip -->

>	if (speed >= XFER_UDMA_0 && speed <= XFER_UDMA_7)
>		reg |= cs5535_udma_timings[speed - XFER_UDMA_0];

Fix is attached.  Somebody got overzealous - the 5535 only supports
up to UDMA4, which matches the array.

Jordan
-- 
Jordan Crouse
Systems Software Development Engineer 
Advanced Micro Devices, Inc.

[-- Attachment #2: 5535-fix-overrun.patch --]
[-- Type: text/x-diff, Size: 1024 bytes --]

[PATCH] Fix an ovverun found in the 5535 IDE driver

From: Jordan Crouse <jordan.crouse@amd.com>

As found by the Coverity checker, and reported by Adrian Bunk, this
fixes a overrun error in the 5535 IDE driver.  Somebody got a little
excited with the if() statement - the 5535 only supports UDMA 0-4.

Signed-off-by: Jordan Crouse <jordan.crouse@amd.com>
---

 drivers/ide/pci/cs5535.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/ide/pci/cs5535.c b/drivers/ide/pci/cs5535.c
index ce44e38..9bd526d 100644
--- a/drivers/ide/pci/cs5535.c
+++ b/drivers/ide/pci/cs5535.c
@@ -116,7 +116,7 @@ static void cs5535_set_speed(ide_drive_t *drive, u8 speed)
 
 		reg &= 0x80000000UL;  /* Preserve the PIO format bit */
 
-		if (speed >= XFER_UDMA_0 && speed <= XFER_UDMA_7)
+		if (speed >= XFER_UDMA_0 && speed <= XFER_UDMA_4)
 			reg |= cs5535_udma_timings[speed - XFER_UDMA_0];
 		else if (speed >= XFER_MW_DMA_0 && speed <= XFER_MW_DMA_2)
 			reg |= cs5535_mwdma_timings[speed - XFER_MW_DMA_0];

Re: drivers/ide/pci/cs5535.c: array overrun

[Bartlomiej Zolnierkiewicz]

Hi,

On Tuesday 24 July 2007, Jordan Crouse wrote:
> > The Coverity checker spotted the following array overrun in 
> > drivers/ide/pci/cs5535.c:
> 
> <-- snip -->
> 
> >	if (speed >= XFER_UDMA_0 && speed <= XFER_UDMA_7)
> >		reg |= cs5535_udma_timings[speed - XFER_UDMA_0];

Not a bug per se since the upper layer will never feed this function
with speed > XFER_UDMA_4 (thanks to ->ultra_mask being set to 0x1f).

Worth fixing anyway.

> Fix is attached.  Somebody got overzealous - the 5535 only supports
> up to UDMA4, which matches the array.

applied, thanks

Bart