> -----Original Message-----
> From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> Sent: Tuesday, April 28, 2020 6:50 PM
> To: QLogic-Storage-Upstream@xxxxxxxxxx; Manish Rangankar
> <manish.rangankar@xxxxxxxxxx>
> Cc: James E.J. Bottomley <jejb@xxxxxxxxxxxxx>; Martin K. Petersen
> <martin.petersen@xxxxxxxxxx>; linux-scsi@xxxxxxxxxxxxxxx; kernel-
> janitors@xxxxxxxxxxxxxxx
> Subject: [EXT] [PATCH] scsi: qedi: Check for buffer overflow in
> qedi_set_path()
>
> External Email
>
> ----------------------------------------------------------------------
> Smatch complains that the "path_data->handle" variable is user controlled.
> It comes from iscsi_set_path() so that seems possible.
> It's harmless to add a limit check.
>
> The qedi->ep_tbl[] array has qedi->max_active_conns elements (which is
> always ISCSI_MAX_SESS_PER_HBA (4096) elements). The array is allocated
> in the qedi_cm_alloc_mem() function.
>
> Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver
> framework.")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> drivers/scsi/qedi/qedi_iscsi.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c
> index b867a143d2638..425e665ec08b2 100644
> --- a/drivers/scsi/qedi/qedi_iscsi.c
> +++ b/drivers/scsi/qedi/qedi_iscsi.c
> @@ -1221,6 +1221,10 @@ static int qedi_set_path(struct Scsi_Host
> *shost, struct iscsi_path *path_data)
> }
>
> iscsi_cid = (u32)path_data->handle;
> + if (iscsi_cid >= qedi->max_active_conns) {
> + ret = -EINVAL;
> + goto set_path_exit;
> + }
> qedi_ep = qedi->ep_tbl[iscsi_cid];
> QEDI_INFO(&qedi->dbg_ctx, QEDI_LOG_INFO,
> "iscsi_cid=0x%x, qedi_ep=%p\n", iscsi_cid, qedi_ep);
Thanks,
Acked-by: Manish Rangankar <mrangankar@xxxxxxxxxxx>
