From a1ae3edfe64bd27519b009e04801cd3e32a3fd52 Mon Sep 17 00:00:00 2001
From: ngie <ngie@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Fri, 13 May 2016 09:05:29 +0000
Subject: [PATCH] MFC r298670: r298670 (by cem):

ciss(4): Fix overrun of array

The softc member 'ciss_logical' is an array of 'ciss_max_logical_bus' members.
Most of the time it is iterated correctly.  This patch fixes the two instances
where the driver iterated off the end of the array.

CID:		1305492


git-svn-id: svn://svn.freebsd.org/base/stable/10@299634 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 sys/dev/ciss/ciss.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/dev/ciss/ciss.c b/sys/dev/ciss/ciss.c
index a465fac7f..00a4e775b 100644
--- a/sys/dev/ciss/ciss.c
+++ b/sys/dev/ciss/ciss.c
@@ -1431,7 +1431,7 @@ ciss_init_logical(struct ciss_softc *sc)
 	goto out;
     }
 
-    for (i = 0; i <= sc->ciss_max_logical_bus; i++) {
+    for (i = 0; i < sc->ciss_max_logical_bus; i++) {
 	sc->ciss_logical[i] =
 	    malloc(sc->ciss_cfg->max_logical_supported *
 		   sizeof(struct ciss_ldrive),
@@ -2030,7 +2030,7 @@ ciss_free(struct ciss_softc *sc)
     if (sc->ciss_parent_dmat)
 	bus_dma_tag_destroy(sc->ciss_parent_dmat);
     if (sc->ciss_logical) {
-	for (i = 0; i <= sc->ciss_max_logical_bus; i++) {
+	for (i = 0; i < sc->ciss_max_logical_bus; i++) {
 	    for (j = 0; j < sc->ciss_cfg->max_logical_supported; j++) {
 		if (sc->ciss_logical[i][j].cl_ldrive)
 		    free(sc->ciss_logical[i][j].cl_ldrive, CISS_MALLOC_CLASS);
-- 
2.45.0