1 From: Gerald Schaefer <geraldsc@de.ibm.com>
2 Subject: cio: airq - fix array boundary
3 References: bnc#482818,LTC#51920
5 Symptom: Potential memory overwrite.
6 Problem: In airq array definitions use a length of MAX_ISC, which is
7 a valid isc number. So if drivers are using adapter
8 interrupts with the lowest isc memory may be overwritten.
9 Solution: Use array lengths of MAX_ISC+1
11 Acked-by: John Jolly <jjolly@suse.de>
13 drivers/s390/cio/airq.c | 4 ++--
14 1 file changed, 2 insertions(+), 2 deletions(-)
16 Index: linux-sles11/drivers/s390/cio/airq.c
17 ===================================================================
18 --- linux-sles11.orig/drivers/s390/cio/airq.c 2008-10-10 00:13:53.000000000 +0200
19 +++ linux-sles11/drivers/s390/cio/airq.c 2009-02-27 14:32:43.000000000 +0100
20 @@ -34,8 +34,8 @@ struct airq_t {
24 -static union indicator_t indicators[MAX_ISC];
25 -static struct airq_t *airqs[MAX_ISC][NR_AIRQS];
26 +static union indicator_t indicators[MAX_ISC+1];
27 +static struct airq_t *airqs[MAX_ISC+1][NR_AIRQS];
29 static int register_airq(struct airq_t *airq, u8 isc)