tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

be2iscsi: check ip buffer before copying

Dan Carpenter found a issue where be2iscsi would copy the ip
from userspace to the driver buffer before checking the len
of the data being copied:
http://marc.info/?l=linux-scsi&m=140982651504251&w=2

This patch just has us only copy what we the driver buffer
can support.

Cc: <stable@vger.kernel.org>
Tested-by: John Soni Jose <sony.john-n@emulex.com>
Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
Signed-off-by: Christoph Hellwig <hch@lst.de>

authored by

Mike Christie and committed by
Christoph Hellwig a41a9ad3 4bfb8ebf

+8 -5
+8 -5
drivers/scsi/be2iscsi/be_mgmt.c
··· 943 943 944 944 if (ip_action == IP_ACTION_ADD) { 945 945 memcpy(req->ip_params.ip_record.ip_addr.addr, ip_param->value, 946 - ip_param->len); 946 + sizeof(req->ip_params.ip_record.ip_addr.addr)); 947 947 948 948 if (subnet_param) 949 949 memcpy(req->ip_params.ip_record.ip_addr.subnet_mask, 950 - subnet_param->value, subnet_param->len); 950 + subnet_param->value, 951 + sizeof(req->ip_params.ip_record.ip_addr.subnet_mask)); 951 952 } else { 952 953 memcpy(req->ip_params.ip_record.ip_addr.addr, 953 - if_info->ip_addr.addr, ip_param->len); 954 + if_info->ip_addr.addr, 955 + sizeof(req->ip_params.ip_record.ip_addr.addr)); 954 956 955 957 memcpy(req->ip_params.ip_record.ip_addr.subnet_mask, 956 - if_info->ip_addr.subnet_mask, ip_param->len); 958 + if_info->ip_addr.subnet_mask, 959 + sizeof(req->ip_params.ip_record.ip_addr.subnet_mask)); 957 960 } 958 961 959 962 rc = mgmt_exec_nonemb_cmd(phba, &nonemb_cmd, NULL, 0); ··· 984 981 req->action = gtway_action; 985 982 req->ip_addr.ip_type = BE2_IPV4; 986 983 987 - memcpy(req->ip_addr.addr, gt_addr, param_len); 984 + memcpy(req->ip_addr.addr, gt_addr, sizeof(req->ip_addr.addr)); 988 985 989 986 return mgmt_exec_nonemb_cmd(phba, &nonemb_cmd, NULL, 0); 990 987 }