scsi: lpfc: Fix validation of bsg reply lengths

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

There are a couple of code areas which validate sufficient reply buffer
length, but the checks are using the request elements rather than the reply
elements.

Rework to validate using the reply structures.

Link: https://lore.kernel.org/r/20200803210229.23063-7-jsmart2021@gmail.com
Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

authored by

Dick Kennedy and committed by

Martin K. Petersen 5 years ago feb3cc57 678768da

+8 -13

1 changed file

expand all

drivers

scsi

lpfc

lpfc_bsg.c

+8 -13

drivers/scsi/lpfc/lpfc_bsg.c

··· 2494 2494 diag_status_reply = (struct diag_status *) 2495 2495 bsg_reply->reply_data.vendor_reply.vendor_rsp; 2496 2496 2497 - if (job->reply_len < 2498 - sizeof(struct fc_bsg_request) + sizeof(struct diag_status)) { 2497 + if (job->reply_len < sizeof(*bsg_reply) + sizeof(*diag_status_reply)) { 2499 2498 lpfc_printf_log(phba, KERN_WARNING, LOG_LIBDFC, 2500 2499 "3012 Received Run link diag test reply " 2501 2500 "below minimum size (%d): reply_len:%d\n", 2502 - (int)(sizeof(struct fc_bsg_request) + 2503 - sizeof(struct diag_status)), 2501 + (int)(sizeof(*bsg_reply) + 2502 + sizeof(*diag_status_reply)), 2504 2503 job->reply_len); 2505 2504 rc = -EINVAL; 2506 2505 goto job_error; ··· 3417 3418 event_reply = (struct get_mgmt_rev_reply *) 3418 3419 bsg_reply->reply_data.vendor_reply.vendor_rsp; 3419 3420 3420 - if (job->reply_len < 3421 - sizeof(struct fc_bsg_request) + sizeof(struct get_mgmt_rev_reply)) { 3421 + if (job->reply_len < sizeof(*bsg_reply) + sizeof(*event_reply)) { 3422 3422 lpfc_printf_log(phba, KERN_WARNING, LOG_LIBDFC, 3423 3423 "2741 Received GET_DFC_REV reply below " 3424 3424 "minimum size\n"); ··· 5200 5202 goto no_dd_data; 5201 5203 } 5202 5204 5203 - if (job->reply_len < 5204 - sizeof(struct fc_bsg_request) + sizeof(struct menlo_response)) { 5205 + if (job->reply_len < sizeof(*bsg_reply) + 5206 + sizeof(struct menlo_response)) { 5205 5207 lpfc_printf_log(phba, KERN_WARNING, LOG_LIBDFC, 5206 5208 "2785 Received MENLO_CMD reply below " 5207 5209 "minimum size\n"); ··· 5357 5359 forced_reply = (struct forced_link_speed_support_reply *) 5358 5360 bsg_reply->reply_data.vendor_reply.vendor_rsp; 5359 5361 5360 - if (job->reply_len < 5361 - sizeof(struct fc_bsg_request) + 5362 - sizeof(struct forced_link_speed_support_reply)) { 5362 + if (job->reply_len < sizeof(*bsg_reply) + sizeof(*forced_reply)) { 5363 5363 lpfc_printf_log(phba, KERN_WARNING, LOG_LIBDFC, 5364 5364 "0049 Received FORCED_LINK_SPEED reply below " 5365 5365 "minimum size\n"); ··· 5711 5715 event_reply = (struct lpfc_trunk_info *) 5712 5716 bsg_reply->reply_data.vendor_reply.vendor_rsp; 5713 5717 5714 - if (job->reply_len < 5715 - sizeof(struct fc_bsg_request) + sizeof(struct lpfc_trunk_info)) { 5718 + if (job->reply_len < sizeof(*bsg_reply) + sizeof(*event_reply)) { 5716 5719 lpfc_printf_log(phba, KERN_WARNING, LOG_LIBDFC, 5717 5720 "2728 Received GET TRUNK _INFO reply below " 5718 5721 "minimum size\n");