From a77e3362a224212d9d3b9e6fdec44df2eef6cf92 Mon Sep 17 00:00:00 2001
From: "KAMBAROV, ZAUR" <kambarov@berkeley.edu>
Date: Tue, 28 Jun 2005 20:45:06 -0700
Subject: [PATCH] [PATCH] coverity: i386: scsi_lib buffer overrun fix

The check in

627  		BUG_ON(index > SG_MEMPOOL_NR);

with SG_MEMPOOL_NR defined in

32   	#define SG_MEMPOOL_NR		(sizeof(scsi_sg_pools)/sizeof(struct scsi_host_sg_pool))

was not sufficient.

sgp, set in

629  		sgp = scsi_sg_pools + index;

is dereferenced in

630  		mempool_free(sgl, sgp->pool);

Signed-off-by: Zaur Kambarov <zkambarov@coverity.com>
Cc: <linux-scsi@vger.kernel.org>
Cc: James Bottomley <James.Bottomley@steeleye.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
---
 drivers/scsi/scsi_lib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 621dee8b8cb..10506f9cd0c 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -632,7 +632,7 @@ static void scsi_free_sgtable(struct scatterlist *sgl, int index)
 {
 	struct scsi_host_sg_pool *sgp;
 
-	BUG_ON(index > SG_MEMPOOL_NR);
+	BUG_ON(index >= SG_MEMPOOL_NR);
 
 	sgp = scsi_sg_pools + index;
 	mempool_free(sgl, sgp->pool);
-- 
2.41.0