| commit | 80eb9b8c4426c6dd145a39f4a44a6fa590de385d | |
| author | Prasad J Pandit <pjp@fedoraproject.org> | |
| Wed, 25 May 2016 12:25:10 +0000 (25 17:55 +0530) | ||
| committer | Michael Roth <mdroth@linux.vnet.ibm.com> | |
| Tue, 9 Aug 2016 19:30:08 +0000 (9 14:30 -0500) | ||
| tree | ea7273d477f2b21baf312680594daa3a42073f86 | treesnapshot (tar.gz zip) |
| parent | 19dcd481acaef73ba700e8e50ad14dbd41a59b58 | commitdiff |
scsi: megasas: check 'read_queue_head' index value
While doing MegaRAID SAS controller command frame lookup, routine
'megasas_lookup_frame' uses 'read_queue_head' value as an index
into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value
within array bounds to avoid any OOB access.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
While doing MegaRAID SAS controller command frame lookup, routine
'megasas_lookup_frame' uses 'read_queue_head' value as an index
into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value
within array bounds to avoid any OOB access.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
| hw/scsi/megasas.c | diffblobblamehistory |