[SCSI] qla2xxx: Correct out of bounds read of ISP2200 mailbox registers.

ISP2200 adapters only have 24 mailbox registers so read only that many.

Reported-by: Olatunji Ruwase <oor@cs.cmu.edu>
Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com>
Signed-off-by: Chad Dupuis <chad.dupuis@qlogic.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>

diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
index a6a4eeb..af1003f 100644 (file)
--- a/drivers/scsi/qla2xxx/qla_def.h
+++ b/drivers/scsi/qla2xxx/qla_def.h
@@ -44,6 +44,7 @@
  * ISP2100 HBAs.
  */
 #define MAILBOX_REGISTER_COUNT_2100    8
+#define MAILBOX_REGISTER_COUNT_2200    24
 #define MAILBOX_REGISTER_COUNT         32
 
 #define QLA2200A_RISC_ROM_VER  4

diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index 5fd89d7..7e617a6 100644 (file)
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -2054,7 +2054,7 @@ qla2x00_probe_one(struct pci_dev *pdev, const struct pci_device_id *id)
                ha->nvram_data_off = ~0;
                ha->isp_ops = &qla2100_isp_ops;
        } else if (IS_QLA2200(ha)) {
-               ha->mbx_count = MAILBOX_REGISTER_COUNT;
+               ha->mbx_count = MAILBOX_REGISTER_COUNT_2200;
                req_length = REQUEST_ENTRY_CNT_2200;
                rsp_length = RESPONSE_ENTRY_CNT_2100;
                ha->max_loop_id = SNS_LAST_LOOP_ID_2100;