diff options
author | Dan Carpenter <error27@gmail.com> | 2010-06-09 08:01:54 -0400 |
---|---|---|
committer | Jeff Garzik <jgarzik@redhat.com> | 2010-06-10 16:06:33 -0400 |
commit | 14e45c15e1dcc4d972b41343661683efd60fed72 (patch) | |
tree | 96635555f499e15ae8b0eb2a0e0d45233544f80b | |
parent | 7908a9e5fc3f9a679b1777ed231a03636c068446 (diff) |
sata_sil24: memset() overflow
cb->atapi.cdb is an array of 16 u8 elements. The call too memset()
would set the first part of the sge array to zero as well. It's not
a packed struct.
This one has been around for five years. I found it with Smatch. I
think the reason no one has seen it before is because we normally call
sil24_fill_sg() and that overwrites sge with proper information?
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-rw-r--r-- | drivers/ata/sata_sil24.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/ata/sata_sil24.c b/drivers/ata/sata_sil24.c index 70b58fe9e5b..a7f0139c3aa 100644 --- a/drivers/ata/sata_sil24.c +++ b/drivers/ata/sata_sil24.c | |||
@@ -865,7 +865,7 @@ static void sil24_qc_prep(struct ata_queued_cmd *qc) | |||
865 | } else { | 865 | } else { |
866 | prb = &cb->atapi.prb; | 866 | prb = &cb->atapi.prb; |
867 | sge = cb->atapi.sge; | 867 | sge = cb->atapi.sge; |
868 | memset(cb->atapi.cdb, 0, 32); | 868 | memset(cb->atapi.cdb, 0, sizeof(cb->atapi.cdb)); |
869 | memcpy(cb->atapi.cdb, qc->cdb, qc->dev->cdb_len); | 869 | memcpy(cb->atapi.cdb, qc->cdb, qc->dev->cdb_len); |
870 | 870 | ||
871 | if (ata_is_data(qc->tf.protocol)) { | 871 | if (ata_is_data(qc->tf.protocol)) { |