From 0b7afdf301d477246d52b3ffa62386df1d271ad5 Mon Sep 17 00:00:00 2001 From: christos Date: Fri, 14 Apr 2006 19:51:21 +0000 Subject: [PATCH] Coverity CID 1535: Avoid reading past the end of arrays because we don't pay proper attention to the number of logical drives each controller can support. --- sys/dev/pci/amr.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/sys/dev/pci/amr.c b/sys/dev/pci/amr.c index 1ea749f90cff..81ffac550b72 100644 --- a/sys/dev/pci/amr.c +++ b/sys/dev/pci/amr.c @@ -1,4 +1,4 @@ -/* $NetBSD: amr.c,v 1.31 2005/12/11 19:34:47 jonathan Exp $ */ +/* $NetBSD: amr.c,v 1.32 2006/04/14 19:51:21 christos Exp $ */ /*- * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc. @@ -71,7 +71,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: amr.c,v 1.31 2005/12/11 19:34:47 jonathan Exp $"); +__KERNEL_RCSID(0, "$NetBSD: amr.c,v 1.32 2006/04/14 19:51:21 christos Exp $"); #include #include @@ -579,6 +579,13 @@ amr_init(struct amr_softc *amr, const char *intrstr, return (-1); } + if (aex->ae_numldrives > __arraycount(aex->ae_drivestate)) { + aprint_error("%s: Inquiry returned more drives (%d)" + " than the array can handle (%d)\n", + amr->amr_dv.dv_xname, aex->ae_numldrives, + __arraycount(aex->ae_drivestate)); + aex->ae_numldrives = __arraycount(aex->ae_drivestate); + } if (aex->ae_numldrives > AMR_MAX_UNITS) { aprint_error( "%s: adjust AMR_MAX_UNITS to %d (currently %d)" @@ -681,6 +688,13 @@ amr_init(struct amr_softc *amr, const char *intrstr, /* * Record state of logical drives. */ + if (ae->ae_ldrv.al_numdrives > __arraycount(ae->ae_ldrv.al_size)) { + aprint_error("%s: Inquiry returned more drives (%d)" + " than the array can handle (%d)\n", + amr->amr_dv.dv_xname, ae->ae_ldrv.al_numdrives, + __arraycount(ae->ae_ldrv.al_size)); + ae->ae_ldrv.al_numdrives = __arraycount(ae->ae_ldrv.al_size); + } if (ae->ae_ldrv.al_numdrives > AMR_MAX_UNITS) { aprint_error("%s: adjust AMR_MAX_UNITS to %d (currently %d)\n", amr->amr_dv.dv_xname, ae->ae_ldrv.al_numdrives, @@ -689,7 +703,7 @@ amr_init(struct amr_softc *amr, const char *intrstr, } else amr->amr_numdrives = ae->ae_ldrv.al_numdrives; - for (i = 0; i < AMR_MAX_UNITS; i++) { + for (i = 0; i < amr->amr_numdrives; i++) { amr->amr_drive[i].al_size = le32toh(ae->ae_ldrv.al_size[i]); amr->amr_drive[i].al_state = ae->ae_ldrv.al_state[i]; amr->amr_drive[i].al_properties = ae->ae_ldrv.al_properties[i]; @@ -878,7 +892,7 @@ amr_thread(void *cookie) amr_ccb_free(amr, ac); al = amr->amr_drive; - for (i = 0; i < AMR_MAX_UNITS; i++, al++) { + for (i = 0; i < __arraycount(ae->ae_ldrv.al_state); i++, al++) { if (al->al_dv == NULL) continue; if (al->al_state == ae->ae_ldrv.al_state[i])