qed: off by one in qed_parse_mcp_trace_buf()
authorDan Carpenter <dan.carpenter@oracle.com>
Wed, 4 Jul 2018 09:52:36 +0000 (12:52 +0300)
committerDavid S. Miller <davem@davemloft.net>
Thu, 5 Jul 2018 11:13:26 +0000 (20:13 +0900)
If format_idx == s_mcp_trace_meta.formats_num then we read one element
beyond the end of the s_mcp_trace_meta.formats[] array.

Fixes: 50bc60cb155c ("qed*: Utilize FW 8.33.11.0")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Tomer Tayar <Tomer.Tayar@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/qlogic/qed/qed_debug.c

index a14e484890299565ee8fdac8851ed9d7f3e90437..4340c4c90bcbe8b03e5373cfc674c8840ff640d9 100644 (file)
@@ -6723,7 +6723,7 @@ static enum dbg_status qed_parse_mcp_trace_buf(u8 *trace_buf,
                format_idx = header & MFW_TRACE_EVENTID_MASK;
 
                /* Skip message if its index doesn't exist in the meta data */
-               if (format_idx > s_mcp_trace_meta.formats_num) {
+               if (format_idx >= s_mcp_trace_meta.formats_num) {
                        u8 format_size =
                                (u8)((header & MFW_TRACE_PRM_SIZE_MASK) >>
                                     MFW_TRACE_PRM_SIZE_SHIFT);