svn commit: r298670 - head/sys/dev/ciss

[Conrad E. Meyer]

Author: cem
Date: Tue Apr 26 22:01:07 2016
New Revision: 298670
URL: https://svnweb.freebsd.org/changeset/base/298670

Log:
  ciss(4): Fix overrun of array
  
  The softc member 'ciss_logical' is an array of 'ciss_max_logical_bus' members.
  Most of the time it is iterated correctly.  This patch fixes the two instances
  where the driver iterated off the end of the array.
  
  Reported by:	Coverity
  CID:		1305492
  Sponsored by:	EMC / Isilon Storage Division

Modified:
  head/sys/dev/ciss/ciss.c

Modified: head/sys/dev/ciss/ciss.c
==============================================================================
--- head/sys/dev/ciss/ciss.c	Tue Apr 26 21:44:08 2016	(r298669)
+++ head/sys/dev/ciss/ciss.c	Tue Apr 26 22:01:07 2016	(r298670)
@@ -1431,7 +1431,7 @@ ciss_init_logical(struct ciss_softc *sc)
 	goto out;
     }
 
-    for (i = 0; i <= sc->ciss_max_logical_bus; i++) {
+    for (i = 0; i < sc->ciss_max_logical_bus; i++) {
 	sc->ciss_logical[i] =
 	    malloc(sc->ciss_cfg->max_logical_supported *
 		   sizeof(struct ciss_ldrive),
@@ -2030,7 +2030,7 @@ ciss_free(struct ciss_softc *sc)
     if (sc->ciss_parent_dmat)
 	bus_dma_tag_destroy(sc->ciss_parent_dmat);
     if (sc->ciss_logical) {
-	for (i = 0; i <= sc->ciss_max_logical_bus; i++) {
+	for (i = 0; i < sc->ciss_max_logical_bus; i++) {
 	    for (j = 0; j < sc->ciss_cfg->max_logical_supported; j++) {
 		if (sc->ciss_logical[i][j].cl_ldrive)
 		    free(sc->ciss_logical[i][j].cl_ldrive, CISS_MALLOC_CLASS);