From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932178AbcCBBJ6 (ORCPT <rfc822;w@1wt.eu>);
	Tue, 1 Mar 2016 20:09:58 -0500
Received: from userp1040.oracle.com ([156.151.31.81]:39873 "EHLO
	userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756162AbcCBBJy (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 1 Mar 2016 20:09:54 -0500
To: Colin King <colin.king@canonical.com>
Cc: Narsimhulu Musini <nmusini@cisco.com>,
        Sesidhar Baddela <sebaddel@cisco.com>,
        "James E . J . Bottomley" <JBottomley@odin.com>,
        "Martin K . Petersen" <martin.petersen@oracle.com>,
        linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] snic: correctly check for array overrun on overly long version number
From: "Martin K. Petersen" <martin.petersen@oracle.com>
Organization: Oracle Corporation
References: <1456441105-19042-1-git-send-email-colin.king@canonical.com>
Date: Tue, 01 Mar 2016 20:09:44 -0500
In-Reply-To: <1456441105-19042-1-git-send-email-colin.king@canonical.com>
	(Colin King's message of "Thu, 25 Feb 2016 22:58:25 +0000")
Message-ID: <yq1povdbs87.fsf@sermon.lab.mkp.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

>>>>> "Colin" == Colin King <colin.king@canonical.com> writes:

Colin> The snic version number is expected to be 4 decimals in the form
Colin> like a netmask string with each number stored in an element in
Colin> array v.  However, there is an off-by-one check on the number of
Colin> elements in v allowing one to pass a 5 decimal version number
Colin> causing v[4] to be referenced, causing a buffer overrun.  Fix the
Colin> off-by-one error by comparing to i > 3 rather than 4.

Applied to 4.6/scsi-queue.

-- 
Martin K. Petersen	Oracle Linux Engineering