Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 18c9a99b authored by Dan Carpenter's avatar Dan Carpenter Committed by Tejun Heo
Browse files

libata: zpodd: small read overflow in eject_tray() 



We read from the cdb[] buffer in ata_exec_internal_sg().  It has to be
ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.

Fixes: 21334205 ("libata: handle power transition of ODD")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarTejun Heo <tj@kernel.org>
Cc: stable@vger.kernel.org
parent 4544e403

drivers/ata/libata-zpodd.c

+1 −1
Original line number Original line Diff line number Diff line
@@ -35,7 +35,7 @@ struct zpodd { 
static int eject_tray(struct ata_device *dev)

static int eject_tray(struct ata_device *dev)

{

{

	struct ata_taskfile tf;

	struct ata_taskfile tf;

	static const char cdb[] = {  GPCMD_START_STOP_UNIT,

	static const char cdb[ATAPI_CDB_LEN] = {  GPCMD_START_STOP_UNIT,

		0, 0, 0,

		0, 0, 0,

		0x02,     /* LoEj */

		0x02,     /* LoEj */

		0, 0, 0, 0, 0, 0, 0,

		0, 0, 0, 0, 0, 0, 0,