[PATCH] bounds/limits fixes (Stanford Checker)

This fixes several trivial bounds/limits errors that were pointed out by
the Stanford Checker.

diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index c404935bc432ef9c8089f0981fd23eeee53676a1..f4a26d1331af5b0181c270ff716aae1476d8225b 100644 (file)
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -345,7 +345,7 @@ static int cciss_open(struct inode *inode, struct file *filep)
        printk(KERN_DEBUG "cciss_open %x (%x:%x)\n", inode->i_rdev, ctlr, dsk);
 #endif /* CCISS_DEBUG */ 
 
-       if (ctlr > MAX_CTLR || hba[ctlr] == NULL)
+       if (ctlr >= MAX_CTLR || hba[ctlr] == NULL)
                return -ENXIO;
        /*
         * Root is allowed to open raw volume zero even if its not configured

diff --git a/drivers/block/ll_rw_blk.c b/drivers/block/ll_rw_blk.c
index e13d0bbca1449a8773fdb344b616e97f1075ae9a..154120d9d4343d90605e2a39866dfdc0f623b268 100644 (file)
--- a/drivers/block/ll_rw_blk.c
+++ b/drivers/block/ll_rw_blk.c
@@ -677,7 +677,7 @@ static char *rq_flags[] = {
        "REQ_SENSE",
        "REQ_FAILED",
        "REQ_QUIET",
-       "REQ_SPECIAL"
+       "REQ_SPECIAL",
        "REQ_DRIVE_CMD",
        "REQ_DRIVE_TASK",
        "REQ_DRIVE_TASKFILE",

diff --git a/drivers/char/riscom8.c b/drivers/char/riscom8.c
index f56c6de4b7e235656b7661986e6a0d8c24aad1a5..501534e6a10991b727ead77e40e7a14918aef57f 100644 (file)
--- a/drivers/char/riscom8.c
+++ b/drivers/char/riscom8.c
@@ -1090,7 +1090,7 @@ static int rc_open(struct tty_struct * tty, struct file * filp)
        unsigned long flags;
        
        board = RC_BOARD(minor(tty->device));
-       if (board > RC_NBOARD || !(rc_board[board].flags & RC_BOARD_PRESENT))
+       if (board >= RC_NBOARD || !(rc_board[board].flags & RC_BOARD_PRESENT))
                return -ENODEV;
        
        bp = &rc_board[board];

diff --git a/drivers/char/sx.c b/drivers/char/sx.c
index 29c856b8a5d3f3ceb8178d5aee10efe73e08821c..cc629ef0d9dcc8efe5d2b89d3e6d44c6c694b937 100644 (file)
--- a/drivers/char/sx.c
+++ b/drivers/char/sx.c
@@ -1689,7 +1689,7 @@ static int sx_fw_ioctl (struct inode *inode, struct file *filp,
        switch (cmd) {
        case SXIO_SET_BOARD:
                sx_dprintk (SX_DEBUG_FIRMWARE, "set board to %ld\n", arg);
-               if (arg > SX_NBOARDS) return -EIO;
+               if (arg >= SX_NBOARDS) return -EIO;
                sx_dprintk (SX_DEBUG_FIRMWARE, "not out of range\n");
                if (!(boards[arg].flags & SX_BOARD_PRESENT)) return -EIO;
                sx_dprintk (SX_DEBUG_FIRMWARE, ".. and present!\n");

diff --git a/drivers/isdn/hardware/eicon/diva.c b/drivers/isdn/hardware/eicon/diva.c
index aab7fbcaef0fa0095ebf75e6a27da7d6f0f8725f..81cf2292c1c810409fe0d76acdf880e12c88d2c1 100644 (file)
--- a/drivers/isdn/hardware/eicon/diva.c
+++ b/drivers/isdn/hardware/eicon/diva.c
@@ -563,10 +563,11 @@ static void diva_init_request_array(void)
        Requests[31] = DivaIdiRequest31;
 }
 
+/* card:  1-based card number */
 void diva_xdi_display_adapter_features(int card)
 {
        dword features;
-       if (!card || ((card - 1) > MAX_ADAPTER) || !IoAdapters[card - 1]) {
+       if (!card || ((card - 1) >= MAX_ADAPTER) || !IoAdapters[card - 1]) {
                return;
        }
        card--;

diff --git a/drivers/media/dvb/av7110/av7110.c b/drivers/media/dvb/av7110/av7110.c
index 4df0e077f88aed908f39750b2068d0ad38375b0d..f0178c18e0e5080fd7ca9128cbec5293943b4441 100644 (file)
--- a/drivers/media/dvb/av7110/av7110.c
+++ b/drivers/media/dvb/av7110/av7110.c
@@ -3243,7 +3243,7 @@ StopHWFilter(struct dvb_demux_filter *dvbdmxfilter)
         u16 handle;
                 
         handle=dvbdmxfilter->hw_handle;
-        if (handle>32) {
+        if (handle >= MAXFILT) {
                 dprintk("dvb: StopHWFilter tried to stop invalid filter %d.\n",
                        handle);
                 dprintk("dvb: filter type = %d\n",  dvbdmxfilter->type);
@@ -4408,7 +4408,7 @@ dvb_register(av7110_t *av7110)
         dvbdemux->priv=(void *) av7110;
 
         if (av7110->saa->card_type==DVB_CARD_TT_SIEMENS) {
-                for (i=0; i<32; i++)
+                for (i = 0; i < MAXFILT; i++)
                         av7110->handle2filter[i]=NULL;
 
                 dvbdemux->filternum=32;

diff --git a/drivers/media/dvb/av7110/av7110.h b/drivers/media/dvb/av7110/av7110.h
index a4e8acaf7cd6c85b9fd8f96788477ddb5cbdc023..90cdb89e78c2d300b7d6598f055524d3c6276fea 100644 (file)
--- a/drivers/media/dvb/av7110/av7110.h
+++ b/drivers/media/dvb/av7110/av7110.h
@@ -580,7 +580,7 @@ typedef struct av7110_s {
 #define TRICK_FREEZE 3
         struct audio_status      audiostate;
 
-        struct dvb_demux_filter     *handle2filter[32];
+        struct dvb_demux_filter     *handle2filter[MAXFILT];
         p2t_t                   p2t_filter[MAXFILT];
         dvb_filter_pes2ts_t     p2t[2];
         struct ipack_s          ipack[2];

diff --git a/drivers/media/video/bttv-cards.c b/drivers/media/video/bttv-cards.c
index d63ea1396972557f850daeeab9d621d9914e1f6b..2ed590fc87c12daf59e7a6f0c8c35c6cbef7cade 100644 (file)
--- a/drivers/media/video/bttv-cards.c
+++ b/drivers/media/video/bttv-cards.c
@@ -2172,8 +2172,9 @@ static void __devinit hauppauge_eeprom(struct bttv *btv)
        tuner = eeprom_data[9];
        radio = eeprom_data[blk2-1] & 0x01;
        
-        if (tuner < sizeof(hauppauge_tuner)/sizeof(struct HAUPPAUGE_TUNER))
-                btv->tuner_type = hauppauge_tuner[tuner].id;
+        if (tuner >= ARRAY_SIZE(hauppauge_tuner))
+               tuner = 0;
+       btv->tuner_type = hauppauge_tuner[tuner].id;
        if (radio)
                btv->has_radio = 1;
        

diff --git a/drivers/message/i2o/i2o_core.c b/drivers/message/i2o/i2o_core.c
index 418b2dcd930cb2d7729342181505a01e7366aaa6..d4f15436a380e38da3f1f99c4806eba7c012536b 100644 (file)
--- a/drivers/message/i2o/i2o_core.c
+++ b/drivers/message/i2o/i2o_core.c
@@ -3060,7 +3060,7 @@ void i2o_report_common_status(u8 req_status)
                "PROGRESS_REPORT"       
        };
 
-       if (req_status > I2O_REPLY_STATUS_PROGRESS_REPORT)
+       if (req_status >= ARRAY_SIZE(REPLY_STATUS))
                printk("RequestStatus = %0#2x", req_status);
        else
                printk("%s", REPLY_STATUS[req_status]);

diff --git a/drivers/net/hamradio/scc.c b/drivers/net/hamradio/scc.c
index f1ed6647615c2af879db0a3055025b5948df9d39..ebe175627dccb835b9b8b3f4cb60b81f01b67606 100644 (file)
--- a/drivers/net/hamradio/scc.c
+++ b/drivers/net/hamradio/scc.c
@@ -1763,7 +1763,7 @@ static int scc_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
 
                        if (hwcfg.irq == 2) hwcfg.irq = 9;
 
-                       if (hwcfg.irq <0 || hwcfg.irq > NR_IRQS)
+                       if (hwcfg.irq < 0 || hwcfg.irq >= NR_IRQS)
                                return -EINVAL;
                                
                        if (!Ivec[hwcfg.irq].used && hwcfg.irq)

diff --git a/drivers/net/irda/smc-ircc.c b/drivers/net/irda/smc-ircc.c
index 30dfec24f88939e642be2f58b692dbd2d3aee662..5c5e0e36727b216e8ef4fbdf95aa9c05f7b556a8 100644 (file)
--- a/drivers/net/irda/smc-ircc.c
+++ b/drivers/net/irda/smc-ircc.c
@@ -469,7 +469,7 @@ static int __init ircc_open(unsigned int fir_base, unsigned int sir_base)
                "firport 0x%03x, sirport 0x%03x dma=%d, irq=%d\n",
                chip & 0x0f, version, fir_base, sir_base, dma, irq);
 
-       if (dev_count>DIM(dev_self)) {
+       if (dev_count >= DIM(dev_self)) {
                IRDA_DEBUG(0, 
                           "%s(), to many devices!\n", __FUNCTION__ );
                return -ENOMEM;

diff --git a/drivers/net/wireless/orinoco.c b/drivers/net/wireless/orinoco.c
index 3c69c80a682b98ab0b6664677d79e2a61406b388..69c530629b993f006726450d7a0c3eb68871522a 100644 (file)
--- a/drivers/net/wireless/orinoco.c
+++ b/drivers/net/wireless/orinoco.c
@@ -3057,7 +3057,7 @@ static int orinoco_ioctl_getrate(struct net_device *dev, struct iw_param *rrq)
 
        ratemode = priv->bitratemode;
 
-       if ( (ratemode < 0) || (ratemode > BITRATE_TABLE_SIZE) )
+       if ( (ratemode < 0) || (ratemode >= BITRATE_TABLE_SIZE) )
                BUG();
 
        rrq->value = bitrate_table[ratemode].bitrate * 100000;

diff --git a/drivers/pcmcia/i82092.c b/drivers/pcmcia/i82092.c
index cdb66c6c18321d83a842896679f2e6833c9103be..606fef598ca6f76d35a7da57e562c16da9301eb5 100644 (file)
--- a/drivers/pcmcia/i82092.c
+++ b/drivers/pcmcia/i82092.c
@@ -384,7 +384,7 @@ static int card_present(int socketno)
        unsigned int val;
        enter("card_present");
        
-       if ((socketno<0) || (socketno > MAX_SOCKETS))
+       if ((socketno<0) || (socketno >= MAX_SOCKETS))
                return 0;
        if (sockets[socketno].io_base == 0)
                return 0;

diff --git a/drivers/scsi/aacraid/aachba.c b/drivers/scsi/aacraid/aachba.c
index 8e3ad622cb8b46d802c5ea76ba239148962becb2..318a4584ac3be7ac4a44999b8308c118d72756d8 100644 (file)
--- a/drivers/scsi/aacraid/aachba.c
+++ b/drivers/scsi/aacraid/aachba.c
@@ -1094,7 +1094,7 @@ static int query_disk(struct aac_dev *dev, void *arg)
                qd.cnum = TARGET_LUN_TO_CONTAINER(qd.target, qd.lun);
        else if ((qd.bus == -1) && (qd.target == -1) && (qd.lun == -1)) 
        {
-               if (qd.cnum < 0 || qd.cnum > MAXIMUM_NUM_CONTAINERS)
+               if (qd.cnum < 0 || qd.cnum >= MAXIMUM_NUM_CONTAINERS)
                        return -EINVAL;
                qd.instance = dev->scsi_host_ptr->host_no;
                qd.bus = 0;
@@ -1129,7 +1129,7 @@ static int force_delete_disk(struct aac_dev *dev, void *arg)
        if (copy_from_user(&dd, arg, sizeof (struct aac_delete_disk)))
                return -EFAULT;
 
-       if (dd.cnum > MAXIMUM_NUM_CONTAINERS)
+       if (dd.cnum >= MAXIMUM_NUM_CONTAINERS)
                return -EINVAL;
        /*
         *      Mark this container as being deleted.
@@ -1152,7 +1152,7 @@ static int delete_disk(struct aac_dev *dev, void *arg)
        if (copy_from_user(&dd, arg, sizeof (struct aac_delete_disk)))
                return -EFAULT;
 
-       if (dd.cnum > MAXIMUM_NUM_CONTAINERS)
+       if (dd.cnum >= MAXIMUM_NUM_CONTAINERS)
                return -EINVAL;
        /*
         *      If the container is locked, it can not be deleted by the API.

diff --git a/drivers/scsi/aic7xxx/aic79xx_pci.c b/drivers/scsi/aic7xxx/aic79xx_pci.c
index 79b1a172d6be383906412323a070911f880f7f2d..345bdeda3fddd58c93678e2eb6f560891a7f14e8 100644 (file)
--- a/drivers/scsi/aic7xxx/aic79xx_pci.c
+++ b/drivers/scsi/aic7xxx/aic79xx_pci.c
@@ -691,7 +691,7 @@ static const char *pci_status_source[] =
 
 static const char *split_status_strings[] =
 {
-       "%s: Received split response in %s.\n"
+       "%s: Received split response in %s.\n",
        "%s: Received split completion error message in %s\n",
        "%s: Receive overrun in %s\n",
        "%s: Count not complete in %s\n",

diff --git a/drivers/scsi/cpqfcTSworker.c b/drivers/scsi/cpqfcTSworker.c
index b4dd2a337143abc55e99ff2c3a26095a8243f224..7bec5d1091f78230a7ebe405c55f0fd113b93de9 100644 (file)
--- a/drivers/scsi/cpqfcTSworker.c
+++ b/drivers/scsi/cpqfcTSworker.c
@@ -448,7 +448,7 @@ void cpqfcTS_WorkTask( struct Scsi_Host *HostAdapter)
       LONG x_ID = fcLQ->Qitem[QconsumerNdx].ulBuff[0];
       BOOLEAN FrozeTach = FALSE;   
      
-      if( x_ID > TACH_SEST_LEN )  // (in)sanity check
+      if ( x_ID >= TACH_SEST_LEN )  // (in)sanity check
       {
 //     printk( " cpqfcTS ERROR! BOGUS x_ID %Xh", x_ID);
        break;

diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c
index b35c75e1b62f8eae095a0913b38e62a73316609f..2916acf21f87931475f2081f6569870e1af1346d 100644 (file)
--- a/drivers/scsi/dpt_i2o.c
+++ b/drivers/scsi/dpt_i2o.c
@@ -1402,7 +1402,7 @@ static int adpt_i2o_parse_lct(adpt_hba* pHba)
                                printk(KERN_WARNING"%s: Channel number %d out of range \n", pHba->name, bus_no);
                                continue;
                        }
-                       if(scsi_id > MAX_ID){
+                       if (scsi_id >= MAX_ID){
                                printk(KERN_WARNING"%s: SCSI ID %d out of range \n", pHba->name, bus_no);
                                continue;
                        }
@@ -1476,7 +1476,7 @@ static int adpt_i2o_parse_lct(adpt_hba* pHba)
                                if(bus_no >= MAX_CHANNEL) {     // Something wrong skip it
                                        continue;
                                }
-                               if(scsi_id > MAX_ID){
+                               if (scsi_id >= MAX_ID) {
                                        continue;
                                }
                                if( pHba->channel[bus_no].device[scsi_id] == NULL){

diff --git a/fs/devfs/base.c b/fs/devfs/base.c
index 02f6bcfc5fe21aeaee749f456fc95eb9e81dcc50..b82077b01ec18e99caab793512745c97eb611c4f 100644 (file)
--- a/fs/devfs/base.c
+++ b/fs/devfs/base.c
@@ -1169,7 +1169,7 @@ static devfs_handle_t _devfs_make_parent_for_leaf (struct devfs_entry *dir,
     *leaf_pos = (name[namelen] == '/') ? (namelen + 1) : 0;
     for (; namelen > 0; name += next_pos, namelen -= next_pos)
     {
-       struct devfs_entry *de, *old;
+       struct devfs_entry *de, *old = NULL;
 
        if ( ( de = _devfs_descend (dir, name, namelen, &next_pos) ) == NULL )
        {

diff --git a/net/irda/qos.c b/net/irda/qos.c
index c7dc0bf1c040aa32ed0d6dd3b239f9fe80b40ce8..45bab6e55e75cf7b9b49e0917fba5c2cdd739db2 100644 (file)
--- a/net/irda/qos.c
+++ b/net/irda/qos.c
@@ -722,8 +722,8 @@ __u32 irlap_max_line_capacity(__u32 speed, __u32 max_turn_time)
        i = value_index(speed, baud_rates, 10);
        j = value_index(max_turn_time, max_turn_times, 4);
 
-       ASSERT(((i >=0) && (i <=10)), return 0;);
-       ASSERT(((j >=0) && (j <=4)), return 0;);
+       ASSERT(((i >=0) && (i <10)), return 0;);
+       ASSERT(((j >=0) && (j <4)), return 0;);
 
        line_capacity = max_line_capacities[i][j];