| From 361e2e315b7c987cf0f92c1cbeeb0b2afe782314 Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Tue, 7 Jan 2020 16:04:41 +0300 |
| Subject: [PATCH] cmd64x: potential buffer overflow in cmd64x_program_timings() |
| |
| commit 117fcc3053606d8db5cef8821dca15022ae578bb upstream. |
| |
| The "drive->dn" value is a u8 and it is controlled by root only, but |
| it could be out of bounds here so let's check. |
| |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/ide/cmd64x.c b/drivers/ide/cmd64x.c |
| index a1898e11b04e..943bf944bf72 100644 |
| --- a/drivers/ide/cmd64x.c |
| +++ b/drivers/ide/cmd64x.c |
| @@ -66,6 +66,9 @@ static void cmd64x_program_timings(ide_drive_t *drive, u8 mode) |
| struct ide_timing t; |
| u8 arttim = 0; |
| |
| + if (drive->dn >= ARRAY_SIZE(drwtim_regs)) |
| + return; |
| + |
| ide_timing_compute(drive, mode, &t, T, 0); |
| |
| /* |
| -- |
| 2.7.4 |
| |