Commit 2bac406d authored by Brian King's avatar Brian King Committed by James Bottomley

[SCSI] ibmvfc: Sanitize response lengths

Sanitize the response lengths in order to prevent possible oopses
in the command response path.
Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
Signed-off-by: default avatarJames Bottomley <James.Bottomley@HansenPartnership.com>
parent cf6f10d7
...@@ -1457,8 +1457,8 @@ static void ibmvfc_scsi_done(struct ibmvfc_event *evt) ...@@ -1457,8 +1457,8 @@ static void ibmvfc_scsi_done(struct ibmvfc_event *evt)
struct ibmvfc_cmd *vfc_cmd = &evt->xfer_iu->cmd; struct ibmvfc_cmd *vfc_cmd = &evt->xfer_iu->cmd;
struct ibmvfc_fcp_rsp *rsp = &vfc_cmd->rsp; struct ibmvfc_fcp_rsp *rsp = &vfc_cmd->rsp;
struct scsi_cmnd *cmnd = evt->cmnd; struct scsi_cmnd *cmnd = evt->cmnd;
int rsp_len = 0; u32 rsp_len = 0;
int sense_len = rsp->fcp_sense_len; u32 sense_len = rsp->fcp_sense_len;
if (cmnd) { if (cmnd) {
if (vfc_cmd->response_flags & IBMVFC_ADAPTER_RESID_VALID) if (vfc_cmd->response_flags & IBMVFC_ADAPTER_RESID_VALID)
...@@ -1475,7 +1475,7 @@ static void ibmvfc_scsi_done(struct ibmvfc_event *evt) ...@@ -1475,7 +1475,7 @@ static void ibmvfc_scsi_done(struct ibmvfc_event *evt)
rsp_len = rsp->fcp_rsp_len; rsp_len = rsp->fcp_rsp_len;
if ((sense_len + rsp_len) > SCSI_SENSE_BUFFERSIZE) if ((sense_len + rsp_len) > SCSI_SENSE_BUFFERSIZE)
sense_len = SCSI_SENSE_BUFFERSIZE - rsp_len; sense_len = SCSI_SENSE_BUFFERSIZE - rsp_len;
if ((rsp->flags & FCP_SNS_LEN_VALID) && rsp->fcp_sense_len) if ((rsp->flags & FCP_SNS_LEN_VALID) && rsp->fcp_sense_len && rsp_len <= 8)
memcpy(cmnd->sense_buffer, rsp->data.sense + rsp_len, sense_len); memcpy(cmnd->sense_buffer, rsp->data.sense + rsp_len, sense_len);
ibmvfc_log_error(evt); ibmvfc_log_error(evt);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment