[PATCH] Fix bug: accessing past end of array.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If the card is re-inserted 2 or more times, we access elements
past the end of the aha152x_host array.

Also correct spelling errors.

This is for 2.6.17.

Signed-off-by Alex Davis <alex14641 at yahoo dot com>
=========================================================================
diff -u linux-2.6.17.1-orig/drivers/scsi/aha152x.c linux-2.6.17.1/drivers/scsi/aha152x.c
--- linux-2.6.17.1-orig/drivers/scsi/aha152x.c	2006-06-17 21:49:35.000000000 -0400
+++ linux-2.6.17.1/drivers/scsi/aha152x.c	2006-06-25 20:06:05.000000000 -0400
@@ -766,7 +766,7 @@
 	struct Scsi_Host *shpnt = lookup_irq(irqno);
 
 	if (!shpnt) {
-        	printk(KERN_ERR "aha152x: catched software interrupt %d for unknown controller.\n",
irqno);
+        	printk(KERN_ERR "aha152x: caught software interrupt %d for unknown controller.\n",
irqno);
 		return IRQ_NONE;
 	}
 
@@ -779,6 +779,7 @@
 struct Scsi_Host *aha152x_probe_one(struct aha152x_setup *setup)
 {
 	struct Scsi_Host *shpnt;
+	int i;
 
 	shpnt = scsi_host_alloc(&aha152x_driver_template, sizeof(struct aha152x_hostdata));
 	if (!shpnt) {
@@ -787,6 +788,22 @@
 	}
 
 	/* need to have host registered before triggering any interrupt */
+
+	/* find an empty slot. */
+	for ( i = 0; i < ARRAY_SIZE(aha152x_host); ++i ) {
+		if ( aha152x_host[i] == NULL ) {
+			break;
+		}
+	}
+
+	/* no empty slots? */
+	if ( i >= ARRAY_SIZE(aha152x_host) ) {
+		printk(KERN_ERR "aha152x: too many hosts: %d\n", i + 1);
+		return NULL;
+	}
+
+	registered_count = i;
+
 	aha152x_host[registered_count] = shpnt;
 
 	memset(HOSTDATA(shpnt), 0, sizeof *HOSTDATA(shpnt));
@@ -915,6 +932,8 @@
 
 void aha152x_release(struct Scsi_Host *shpnt)
 {
+	int i;
+
 	if(!shpnt)
 		return;
 
@@ -933,6 +952,12 @@
 
 	scsi_remove_host(shpnt);
 	scsi_host_put(shpnt);
+	for ( i = 0; i < ARRAY_SIZE(aha152x_host); ++i ) {
+		if ( aha152x_host[i] == shpnt ) {
+			aha152x_host[i] = NULL;
+			break;
+		}
+	}
 }
 
 
@@ -1458,7 +1483,7 @@
 	unsigned char rev, dmacntrl0;
 
 	if (!shpnt) {
-		printk(KERN_ERR "aha152x: catched interrupt %d for unknown controller.\n", irqno);
+		printk(KERN_ERR "aha152x: caught interrupt %d for unknown controller.\n", irqno);
 		return IRQ_NONE;
 	}
 
@@ -2976,6 +3001,9 @@
 	Scsi_Cmnd *ptr;
 	unsigned long flags;
 
+	if(!shpnt)
+		return;
+
 	DO_LOCK(flags);
 	printk(KERN_DEBUG "\nqueue status:\nissue_SC:\n");
 	for (ptr = ISSUE_SC; ptr; ptr = SCNEXT(ptr))
@@ -3941,7 +3969,6 @@
 
 	for(i=0; i<ARRAY_SIZE(setup); i++) {
 		aha152x_release(aha152x_host[i]);
-		aha152x_host[i]=NULL;
 	}
 }

I code, therefore I am

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux