@@ -98,9 +98,9 @@ bfad_iocmd_ioc_get_info(struct bfad_s *bfad, void *cmd)
/* set adapter hw path */
strcpy(iocmd->adapter_hwpath, bfad->pci_name);
- for (i = 0; iocmd->adapter_hwpath[i] != ':' && i < BFA_STRING_32; i++)
+ for (i = 0; iocmd->adapter_hwpath[i] != ':' && i < BFA_STRING_32 - 2; i++)
;
- for (; iocmd->adapter_hwpath[++i] != ':' && i < BFA_STRING_32; )
+ for (; iocmd->adapter_hwpath[++i] != ':' && i < BFA_STRING_32 - 1; )
;
iocmd->adapter_hwpath[i] = '\0';
iocmd->status = BFA_STATUS_OK;
Loop conditions 'i < BFA_STRING_32' in bfad_iocmd_ioc_get_info() do not prevent buffer overflow while writing data to 'iocmd->adapter_hwpath[i]' after the loop because on incorrect data 'i' can be incremented anyway. The patch hardens the loop conditions to avoid buffer overflow in case of invalid data, while it does not affect the processing of valid 'adapter_hwpath'. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e6826c96ced7 ("[SCSI] bfa: Add support to read/update the FRU data.") Signed-off-by: Valentina Goncharenko <goncharenko.vp@ispras.ru> --- drivers/scsi/bfa/bfad_bsg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)