From ce1f31b4c0b9551dd51874dd5364654ed4ca13ae Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Tue, 7 Jan 2020 16:06:07 +0300 Subject: ide: serverworks: potential overflow in svwks_set_pio_mode() The "drive->dn" variable is a u8 controlled by root. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller --- drivers/ide/serverworks.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'drivers') diff --git a/drivers/ide/serverworks.c b/drivers/ide/serverworks.c index ac6fc3fffa0d..458e72e034b0 100644 --- a/drivers/ide/serverworks.c +++ b/drivers/ide/serverworks.c @@ -115,6 +115,9 @@ static void svwks_set_pio_mode(ide_hwif_t *hwif, ide_drive_t *drive) struct pci_dev *dev = to_pci_dev(hwif->dev); const u8 pio = drive->pio_mode - XFER_PIO_0; + if (drive->dn >= ARRAY_SIZE(drive_pci)) + return; + pci_write_config_byte(dev, drive_pci[drive->dn], pio_modes[pio]); if (svwks_csb_check(dev)) { @@ -141,6 +144,9 @@ static void svwks_set_dma_mode(ide_hwif_t *hwif, ide_drive_t *drive) u8 ultra_enable = 0, ultra_timing = 0, dma_timing = 0; + if (drive->dn >= ARRAY_SIZE(drive_pci2)) + return; + pci_read_config_byte(dev, (0x56|hwif->channel), &ultra_timing); pci_read_config_byte(dev, 0x54, &ultra_enable); -- cgit v1.2.3