HBSD MFC: ciss(4): Fix overrun of array

The softc member 'ciss_logical' is an array of 'ciss_max_logical_bus' members. Most of the time it is iterated correctly. This patch fixes the two instances where the driver iterated off the end of the array. Reported by: Coverity CID: 1305492 Sponsored by: EMC / Isilon Storage Division (cherry picked from commit cfbeb94)
HardenedBSD · Apr 26, 2016 · a9b0932 · a9b0932
1 parent d4b3b90
commit a9b0932
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/sys/dev/ciss/ciss.c b/sys/dev/ciss/ciss.c
@@ -1431,7 +1431,7 @@ ciss_init_logical(struct ciss_softc *sc)
 	goto out;
     }
 
-    for (i = 0; i <= sc->ciss_max_logical_bus; i++) {
+    for (i = 0; i < sc->ciss_max_logical_bus; i++) {
 	sc->ciss_logical[i] =
 	    malloc(sc->ciss_cfg->max_logical_supported *
 		   sizeof(struct ciss_ldrive),
@@ -2030,7 +2030,7 @@ ciss_free(struct ciss_softc *sc)
     if (sc->ciss_parent_dmat)
 	bus_dma_tag_destroy(sc->ciss_parent_dmat);
     if (sc->ciss_logical) {
-	for (i = 0; i <= sc->ciss_max_logical_bus; i++) {
+	for (i = 0; i < sc->ciss_max_logical_bus; i++) {
 	    for (j = 0; j < sc->ciss_cfg->max_logical_supported; j++) {
 		if (sc->ciss_logical[i][j].cl_ldrive)
 		    free(sc->ciss_logical[i][j].cl_ldrive, CISS_MALLOC_CLASS);