[Skiboot] [PATCH] hw/lpc: Fix theoretical possible out-of-bounds-read

Mon Jun 3 17:41:21 AEST 2019

number of elements versus starting counting from 0.

Found by static analysis.

Signed-off-by: Stewart Smith <stewart at linux.ibm.com>
---
 hw/lpc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/lpc.c b/hw/lpc.c
index 3f2300ce9dca..3f5109d732b4 100644
--- a/hw/lpc.c
+++ b/hw/lpc.c
@@ -519,7 +519,7 @@ static int64_t lpc_probe_test(struct lpcm *lpc)
 
 	/* Ensure we can perform a valid lookup in the error table */
 	idx = LPC_ERROR_IDX(irqstat);
-	if (idx < 0 || idx > ARRAY_SIZE(lpc_error_table)) {
+	if (idx < 0 || idx >= ARRAY_SIZE(lpc_error_table)) {
 		prerror("LPC bus error translation failed with status 0x%x\n",
 			irqstat);
 		return OPAL_PARAMETER;
@@ -1035,7 +1035,7 @@ static void lpc_dispatch_err_irqs(struct lpcm *lpc, uint32_t irqs)
 
 	/* Ensure we can perform a valid lookup in the error table */
 	idx = LPC_ERROR_IDX(irqs);
-	if (idx < 0 || idx > ARRAY_SIZE(lpc_error_table)) {
+	if (idx < 0 || idx >= ARRAY_SIZE(lpc_error_table)) {
 		prerror("LPC bus error translation failed with status 0x%x\n",
 			irqs);
 		return;
-- 
2.21.0

