From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 27 Jun 2012 08:59:36 +0000 (+0300)
Subject: [SCSI] bfa: off by one in bfa_ioc_mbox_isr()
X-Git-Tag: v3.12-rc1~2685^2~60
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=fffa69230b7bbfc62d8cfb515c3e658224a0f88c;p=kernel%2Fkernel-generic.git

[SCSI] bfa: off by one in bfa_ioc_mbox_isr()

If mc == BFI_MC_MAX then we're reading past the end of the
mod->mbhdlr[] array.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Krishna Gudipati <kgudipat@brocade.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
---

diff --git a/drivers/scsi/bfa/bfa_ioc.c b/drivers/scsi/bfa/bfa_ioc.c
index 14e6284..8cdb79c 100644
--- a/drivers/scsi/bfa/bfa_ioc.c
+++ b/drivers/scsi/bfa/bfa_ioc.c
@@ -2357,7 +2357,7 @@ bfa_ioc_mbox_isr(struct bfa_ioc_s *ioc)
 			return;
 		}
 
-		if ((mc > BFI_MC_MAX) || (mod->mbhdlr[mc].cbfn == NULL))
+		if ((mc >= BFI_MC_MAX) || (mod->mbhdlr[mc].cbfn == NULL))
 			return;
 
 		mod->mbhdlr[mc].cbfn(mod->mbhdlr[mc].cbarg, &m);