From 074479ba16436b4ebb882a7f8bafdbe7a6a6311e Mon Sep 17 00:00:00 2001
From: Bart Van Assche <bvanassche@acm.org>
Date: Sat, 26 Feb 2011 09:48:58 +0000
Subject: [PATCH] ib_srpt: Fix potential out-of-bounds array access

git-svn-id: http://svn.code.sf.net/p/scst/svn/trunk@3262 d57e44dd-8a1f-0410-8b47-8ef2f437770f
---
 srpt/src/ib_srpt.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/srpt/src/ib_srpt.c b/srpt/src/ib_srpt.c
index 169d80216..d8b46ea5f 100644
--- a/srpt/src/ib_srpt.c
+++ b/srpt/src/ib_srpt.c
@@ -2693,7 +2693,8 @@ static int srpt_map_sg_to_ib_sge(struct srpt_rdma_ch *ch,
 	if (ioctx->rdma_ius && ioctx->n_rdma_ius)
 		nrdma = ioctx->n_rdma_ius;
 	else {
-		nrdma = count / SRPT_DEF_SG_PER_WQE + ioctx->n_rbuf;
+		nrdma = (count + SRPT_DEF_SG_PER_WQE - 1) / SRPT_DEF_SG_PER_WQE
+			+ ioctx->n_rbuf;
 
 		ioctx->rdma_ius = kzalloc(nrdma * sizeof *riu,
 					  scst_cmd_atomic(scmnd)
@@ -2772,6 +2773,9 @@ static int srpt_map_sg_to_ib_sge(struct srpt_rdma_ch *ch,
 			goto free_mem;
 	}
 
+	EXTRACHECKS_WARN_ON(riu - ioctx->rdma_ius != ioctx->n_rdma);
+	EXTRACHECKS_WARN_ON(ioctx->n_rdma > ioctx->n_rdma_ius);
+
 	db = ioctx->rbufs;
 	tsize = (dir == SCST_DATA_READ)
 		? scst_cmd_get_adjusted_resp_data_len(scmnd)
@@ -2814,15 +2818,17 @@ static int srpt_map_sg_to_ib_sge(struct srpt_rdma_ch *ch,
 			}
 
 			++k;
-			if (k == riu->sge_cnt && rsize > 0) {
+			if (k == riu->sge_cnt && rsize > 0 && tsize > 0) {
 				++riu;
 				sge = riu->sge;
 				k = 0;
-			} else if (rsize > 0)
+			} else if (rsize > 0 && tsize > 0)
 				++sge;
 		}
 	}
 
+	EXTRACHECKS_WARN_ON(riu - ioctx->rdma_ius != ioctx->n_rdma);
+
 	return 0;
 
 free_mem: