loopback: off by one in tcm_loop_make_naa_tpg()

This is an off by one 'tgpt' check in tcm_loop_make_naa_tpg() that could result
in memory corruption.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Nicholas A. Bellinger <nab@linux-iscsi.org>

diff --git a/drivers/target/loopback/tcm_loop.c b/drivers/target/loopback/tcm_loop.c
index c2937b2035d33c89f6431f40a36797f842ac0a0e..083d6c51f052fddf4a614b6d4fb9e5693c781b46 100644 (file)
--- a/drivers/target/loopback/tcm_loop.c
+++ b/drivers/target/loopback/tcm_loop.c
@@ -1205,7 +1205,7 @@ struct se_portal_group *tcm_loop_make_naa_tpg(
        tpgt_str += 5; /* Skip ahead of "tpgt_" */
        tpgt = (unsigned short int) simple_strtoul(tpgt_str, &end_ptr, 0);
 
-       if (tpgt > TL_TPGS_PER_HBA) {
+       if (tpgt >= TL_TPGS_PER_HBA) {
                printk(KERN_ERR "Passed tpgt: %hu exceeds TL_TPGS_PER_HBA:"
                                " %u\n", tpgt, TL_TPGS_PER_HBA);
                return ERR_PTR(-EINVAL);