Commit db5db4b9 authored by Bart Van Assche's avatar Bart Van Assche Committed by Martin K. Petersen

scsi: sd: Protect against READ(6) or WRITE(6) with zero block transfer length

Since the READ(6) and WRITE(6) commands interpret a zero in the transfer
length field in the CDB as 256 logical blocks, avoid submitting such
commands.

Cc: Douglas Gilbert <dgilbert@interlog.com>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Christoph Hellwig <hch@lst.de>
Reported-by: default avatarDouglas Gilbert <dgilbert@interlog.com>
Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
Reviewed-by: default avatarDouglas Gilbert <dgilbert@interlog.com>
Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
parent 59abc8cc
...@@ -1128,6 +1128,10 @@ static blk_status_t sd_setup_rw6_cmnd(struct scsi_cmnd *cmd, bool write, ...@@ -1128,6 +1128,10 @@ static blk_status_t sd_setup_rw6_cmnd(struct scsi_cmnd *cmd, bool write,
sector_t lba, unsigned int nr_blocks, sector_t lba, unsigned int nr_blocks,
unsigned char flags) unsigned char flags)
{ {
/* Avoid that 0 blocks gets translated into 256 blocks. */
if (WARN_ON_ONCE(nr_blocks == 0))
return BLK_STS_IOERR;
if (unlikely(flags & 0x8)) { if (unlikely(flags & 0x8)) {
/* /*
* This happens only if this drive failed 10byte rw * This happens only if this drive failed 10byte rw
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment