* [bug #1] arcmsr: read past end of array in arcmsr_report_sense_info()
@ 2014-02-07 13:00 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2014-02-07 13:00 UTC (permalink / raw)
To: erich; +Cc: linux-scsi
Hello Erich Chen,
The patch 1c57e86d75cf: "[SCSI] arcmsr: initial driver, version
1.20.00.13" from Jul 12, 2006, leads to the following static checker
warning:
drivers/scsi/arcmsr/arcmsr_hba.c:816 arcmsr_report_sense_info()
error: memcpy() 'ccb->arcmsr_cdb.SenseData' too small (15 vs 18)
drivers/scsi/arcmsr/arcmsr_hba.c
805 static void arcmsr_report_sense_info(struct CommandControlBlock *ccb)
806 {
807
808 struct scsi_cmnd *pcmd = ccb->pcmd;
809 struct SENSE_DATA *sensebuffer = (struct SENSE_DATA *)pcmd->sense_buffer;
810 pcmd->result = DID_OK << 16;
811 if (sensebuffer) {
812 int sense_data_length =
813 sizeof(struct SENSE_DATA) < SCSI_SENSE_BUFFERSIZE
814 ? sizeof(struct SENSE_DATA) : SCSI_SENSE_BUFFERSIZE;
815 memset(sensebuffer, 0, SCSI_SENSE_BUFFERSIZE);
816 memcpy(sensebuffer, ccb->arcmsr_cdb.SenseData, sense_data_length);
^^^^^^^^^^^^^^^^^^^^^^^^^
This buffer is 15 bytes but we copy 18 bytes so we are reading past the
end of the array.
817 sensebuffer->ErrorCode = SCSI_SENSE_CURRENT_ERRORS;
818 sensebuffer->Valid = 1;
819 }
820 }
regards,
dan carpenter
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2014-02-07 13:00 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-07 13:00 [bug #1] arcmsr: read past end of array in arcmsr_report_sense_info() Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox