Kernel/linux-next
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git synced 2025-01-09 23:39:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

sata_sil24: memset() overflow

Browse Source 
cb->atapi.cdb is an array of 16 u8 elements.  The call too memset()
would set the first part of the sge array to zero as well.  It's not
a packed struct.

This one has been around for five years.  I found it with Smatch.  I
think the reason no one has seen it before is because we normally call
sil24_fill_sg() and that overwrites sge with proper information?

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
This commit is contained in:
Dan Carpenter 2010-06-09 14:01:54 +02:00 committed by Jeff Garzik
parent 7908a9e5fc
commit 14e45c15e1
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/ata/sata_sil24.c
View File

@ -865,7 +865,7 @@ static void sil24_qc_prep(struct ata_queued_cmd *qc)
} else {
prb = &cb->atapi.prb;
sge = cb->atapi.sge;
memset(cb->atapi.cdb, 0, 32);
memset(cb->atapi.cdb, 0, sizeof(cb->atapi.cdb));
memcpy(cb->atapi.cdb, qc->cdb, qc->dev->cdb_len);
if (ata_is_data(qc->tf.protocol)) {