From: "KAMBAROV, ZAUR" <kambarov@berkeley.edu>

The check in

627  		BUG_ON(index > SG_MEMPOOL_NR);

with SG_MEMPOOL_NR defined in

32   	#define SG_MEMPOOL_NR		(sizeof(scsi_sg_pools)/sizeof(struct scsi_host_sg_pool))

was not sufficient.

sgp, set in

629  		sgp = scsi_sg_pools + index;

is dereferenced in

630  		mempool_free(sgl, sgp->pool);

Signed-off-by: Zaur Kambarov <zkambarov@coverity.com> 
Cc: <linux-scsi@vger.kernel.org>
Cc: James Bottomley <James.Bottomley@steeleye.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 drivers/scsi/scsi_lib.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

diff -puN drivers/scsi/scsi_lib.c~coverity-i386-scsi_lib-buffer-overrun-fix drivers/scsi/scsi_lib.c
--- 25/drivers/scsi/scsi_lib.c~coverity-i386-scsi_lib-buffer-overrun-fix	Fri Jun 24 14:18:52 2005
+++ 25-akpm/drivers/scsi/scsi_lib.c	Fri Jun 24 14:18:52 2005
@@ -632,7 +632,7 @@ static void scsi_free_sgtable(struct sca
 {
 	struct scsi_host_sg_pool *sgp;
 
-	BUG_ON(index > SG_MEMPOOL_NR);
+	BUG_ON(index >= SG_MEMPOOL_NR);
 
 	sgp = scsi_sg_pools + index;
 	mempool_free(sgl, sgp->pool);
_