From: Dan Carpenter Date: Wed, 9 Jun 2010 12:01:54 +0000 (+0200) Subject: sata_sil24: memset() overflow X-Git-Tag: upstream/snapshot3+hdmi~14004 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=14e45c15e1dcc4d972b41343661683efd60fed72;p=platform%2Fadaptation%2Frenesas_rcar%2Frenesas_kernel.git sata_sil24: memset() overflow cb->atapi.cdb is an array of 16 u8 elements. The call too memset() would set the first part of the sge array to zero as well. It's not a packed struct. This one has been around for five years. I found it with Smatch. I think the reason no one has seen it before is because we normally call sil24_fill_sg() and that overwrites sge with proper information? Signed-off-by: Dan Carpenter Signed-off-by: Jeff Garzik --- diff --git a/drivers/ata/sata_sil24.c b/drivers/ata/sata_sil24.c index 70b58fe..a7f0139 100644 --- a/drivers/ata/sata_sil24.c +++ b/drivers/ata/sata_sil24.c @@ -865,7 +865,7 @@ static void sil24_qc_prep(struct ata_queued_cmd *qc) } else { prb = &cb->atapi.prb; sge = cb->atapi.sge; - memset(cb->atapi.cdb, 0, 32); + memset(cb->atapi.cdb, 0, sizeof(cb->atapi.cdb)); memcpy(cb->atapi.cdb, qc->cdb, qc->dev->cdb_len); if (ata_is_data(qc->tf.protocol)) {