ide: serverworks: potential overflow in svwks_set_pio_mode()
authorDan Carpenter <dan.carpenter@oracle.com>
Tue, 7 Jan 2020 13:06:07 +0000 (16:06 +0300)
committerDavid S. Miller <davem@davemloft.net>
Mon, 20 Jan 2020 12:38:27 +0000 (13:38 +0100)
The "drive->dn" variable is a u8 controlled by root.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/ide/serverworks.c

index ac6fc3f..458e72e 100644 (file)
@@ -115,6 +115,9 @@ static void svwks_set_pio_mode(ide_hwif_t *hwif, ide_drive_t *drive)
        struct pci_dev *dev = to_pci_dev(hwif->dev);
        const u8 pio = drive->pio_mode - XFER_PIO_0;
 
+       if (drive->dn >= ARRAY_SIZE(drive_pci))
+               return;
+
        pci_write_config_byte(dev, drive_pci[drive->dn], pio_modes[pio]);
 
        if (svwks_csb_check(dev)) {
@@ -141,6 +144,9 @@ static void svwks_set_dma_mode(ide_hwif_t *hwif, ide_drive_t *drive)
 
        u8 ultra_enable  = 0, ultra_timing = 0, dma_timing = 0;
 
+       if (drive->dn >= ARRAY_SIZE(drive_pci2))
+               return;
+
        pci_read_config_byte(dev, (0x56|hwif->channel), &ultra_timing);
        pci_read_config_byte(dev, 0x54, &ultra_enable);