[SCSI] ibmvfc: Sanitize response lengths

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Sanitize the response lengths in order to prevent possible oopses
in the command response path.

Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

authored by

Brian King and committed by

James Bottomley 17 years ago 2bac406d cf6f10d7

+3 -3

1 changed file

expand all

drivers

scsi

ibmvscsi

ibmvfc.c

+3 -3

drivers/scsi/ibmvscsi/ibmvfc.c

··· 1457 1457 struct ibmvfc_cmd *vfc_cmd = &evt->xfer_iu->cmd; 1458 1458 struct ibmvfc_fcp_rsp *rsp = &vfc_cmd->rsp; 1459 1459 struct scsi_cmnd *cmnd = evt->cmnd; 1460 - int rsp_len = 0; 1461 - int sense_len = rsp->fcp_sense_len; 1460 + u32 rsp_len = 0; 1461 + u32 sense_len = rsp->fcp_sense_len; 1462 1462 1463 1463 if (cmnd) { 1464 1464 if (vfc_cmd->response_flags & IBMVFC_ADAPTER_RESID_VALID) ··· 1475 1475 rsp_len = rsp->fcp_rsp_len; 1476 1476 if ((sense_len + rsp_len) > SCSI_SENSE_BUFFERSIZE) 1477 1477 sense_len = SCSI_SENSE_BUFFERSIZE - rsp_len; 1478 - if ((rsp->flags & FCP_SNS_LEN_VALID) && rsp->fcp_sense_len) 1478 + if ((rsp->flags & FCP_SNS_LEN_VALID) && rsp->fcp_sense_len && rsp_len <= 8) 1479 1479 memcpy(cmnd->sense_buffer, rsp->data.sense + rsp_len, sense_len); 1480 1480 1481 1481 ibmvfc_log_error(evt);