From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 20 Jun 2018 10:41:51 +0000 (+0300)
Subject: block: sed-opal: Fix a couple off by one bugs
X-Git-Tag: v4.19~515^2~24
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=ce042c183bcb94eb2919e8036473a1fc203420f9;p=platform%2Fkernel%2Flinux-rpi3.git

block: sed-opal: Fix a couple off by one bugs

resp->num is the number of tokens in resp->tok[].  It gets set in
response_parse().  So if n == resp->num then we're reading beyond the
end of the data.

Fixes: 455a7b238cd6 ("block: Add Sed-opal library")
Reviewed-by: Scott Bauer <scott.bauer@intel.com>
Tested-by: Scott Bauer <scott.bauer@intel.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---

diff --git a/block/sed-opal.c b/block/sed-opal.c
index 945f4b8..e0de4dd 100644
--- a/block/sed-opal.c
+++ b/block/sed-opal.c
@@ -877,7 +877,7 @@ static size_t response_get_string(const struct parsed_resp *resp, int n,
 		return 0;
 	}
 
-	if (n > resp->num) {
+	if (n >= resp->num) {
 		pr_debug("Response has %d tokens. Can't access %d\n",
 			 resp->num, n);
 		return 0;
@@ -916,7 +916,7 @@ static u64 response_get_u64(const struct parsed_resp *resp, int n)
 		return 0;
 	}
 
-	if (n > resp->num) {
+	if (n >= resp->num) {
 		pr_debug("Response has %d tokens. Can't access %d\n",
 			 resp->num, n);
 		return 0;