Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
[SCSI] ibmvfc: Sanitize response lengths
Sanitize the response lengths in order to prevent possible oopses
in the command response path.
Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
authored by Brian King and committed by James Bottomley 2bac406d cf6f10d7
+3
-3
drivers/scsi/ibmvscsi/ibmvfc.c
+3
-3
drivers/scsi/ibmvscsi/ibmvfc.c
···
1457
1457
struct ibmvfc_cmd *vfc_cmd = &evt->xfer_iu->cmd;
1458
1458
struct ibmvfc_fcp_rsp *rsp = &vfc_cmd->rsp;
1459
1459
struct scsi_cmnd *cmnd = evt->cmnd;
1460
-
int rsp_len = 0;
1461
-
int sense_len = rsp->fcp_sense_len;
1460
+
u32 rsp_len = 0;
1461
+
u32 sense_len = rsp->fcp_sense_len;
1462
1462
1463
1463
if (cmnd) {
1464
1464
if (vfc_cmd->response_flags & IBMVFC_ADAPTER_RESID_VALID)
···
1475
1475
rsp_len = rsp->fcp_rsp_len;
1476
1476
if ((sense_len + rsp_len) > SCSI_SENSE_BUFFERSIZE)
1477
1477
sense_len = SCSI_SENSE_BUFFERSIZE - rsp_len;
1478
-
if ((rsp->flags & FCP_SNS_LEN_VALID) && rsp->fcp_sense_len)
1478
+
if ((rsp->flags & FCP_SNS_LEN_VALID) && rsp->fcp_sense_len && rsp_len <= 8)
1479
1479
memcpy(cmnd->sense_buffer, rsp->data.sense + rsp_len, sense_len);
1480
1480
1481
1481
ibmvfc_log_error(evt);