[PATCH 05/11] UBUNTU: SAUCE: (drop after 2.6.39) Staging: rts_pstor: fix read past end of buffer

Keng-Yu Lin keng-yu.lin at canonical.com
Thu Mar 31 03:51:07 UTC 2011


From: Dan Carpenter <error27 at gmail.com>

We read one space past the end of the buffer because we add 1.

Also I changed it to use ARRAY_SIZE() instead of manually calculating
the size.

Signed-off-by: Dan Carpenter <error27 at gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>

BugLink: http://bugs.launchpad.net/bugs/698006
(cherry picked from commit 7e79f78b331632c1812ce9c07443550aa2b6c0fe)

Signed-off-by: Keng-Yu Lin <keng-yu.lin at canonical.com>
---
 drivers/staging/rts_pstor/ms.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/staging/rts_pstor/ms.c b/drivers/staging/rts_pstor/ms.c
index dd59931..a624f40 100644
--- a/drivers/staging/rts_pstor/ms.c
+++ b/drivers/staging/rts_pstor/ms.c
@@ -3361,7 +3361,7 @@ static int ms_rw_multi_sector(struct scsi_cmnd *srb, struct rtsx_chip *chip, u32
 	log_blk = (u16)(start_sector >> ms_card->block_shift);
 	start_page = (u8)(start_sector & ms_card->page_off);
 
-	for (seg_no = 0; seg_no < sizeof(ms_start_idx)/2; seg_no++) {
+	for (seg_no = 0; seg_no < ARRAY_SIZE(ms_start_idx) - 1; seg_no++) {
 		if (log_blk < ms_start_idx[seg_no+1])
 			break;
 	}
-- 
1.7.1





More information about the kernel-team mailing list