Hello Adheer Chandravanshi,
The patch 1e9e2be3ee03: "[SCSI] qla4xxx: Add flash node mgmt support"
from Mar 22, 2013, leads to the following static checker warning:
drivers/scsi/qla4xxx/ql4_os.c:3723 qla4xxx_copy_to_fwddb_param()
warn: 'conn->redirect_ipaddr' sometimes too small '16' size = 32
drivers/scsi/qla4xxx/ql4_os.c
3637 static int qla4xxx_copy_to_fwddb_param(struct iscsi_bus_flash_session *sess,
3638 struct iscsi_bus_flash_conn *conn,
3639 struct dev_db_entry *fw_ddb_entry)
3640 {
3641 uint16_t options;
3642 int rc = 0;
3643
3644 options = le16_to_cpu(fw_ddb_entry->options);
3645 SET_BITVAL(conn->is_fw_assigned_ipv6, options, BIT_11);
3646 if (!strncmp(sess->portal_type, PORTAL_TYPE_IPV6, 4))
3647 options |= BIT_8;
3648 else
3649 options &= ~BIT_8;
3650
3651 SET_BITVAL(sess->auto_snd_tgt_disable, options, BIT_6);
3652 SET_BITVAL(sess->discovery_sess, options, BIT_4);
3653 SET_BITVAL(sess->entry_state, options, BIT_3);
3654 fw_ddb_entry->options = cpu_to_le16(options);
3655
3656 options = le16_to_cpu(fw_ddb_entry->iscsi_options);
3657 SET_BITVAL(conn->hdrdgst_en, options, BIT_13);
3658 SET_BITVAL(conn->datadgst_en, options, BIT_12);
3659 SET_BITVAL(sess->imm_data_en, options, BIT_11);
3660 SET_BITVAL(sess->initial_r2t_en, options, BIT_10);
3661 SET_BITVAL(sess->dataseq_inorder_en, options, BIT_9);
3662 SET_BITVAL(sess->pdu_inorder_en, options, BIT_8);
3663 SET_BITVAL(sess->chap_auth_en, options, BIT_7);
3664 SET_BITVAL(conn->snack_req_en, options, BIT_6);
3665 SET_BITVAL(sess->discovery_logout_en, options, BIT_5);
3666 SET_BITVAL(sess->bidi_chap_en, options, BIT_4);
3667 SET_BITVAL(sess->discovery_auth_optional, options, BIT_3);
3668 SET_BITVAL(sess->erl & BIT_1, options, BIT_1);
3669 SET_BITVAL(sess->erl & BIT_0, options, BIT_0);
3670 fw_ddb_entry->iscsi_options = cpu_to_le16(options);
3671
3672 options = le16_to_cpu(fw_ddb_entry->tcp_options);
3673 SET_BITVAL(conn->tcp_timestamp_stat, options, BIT_6);
3674 SET_BITVAL(conn->tcp_nagle_disable, options, BIT_5);
3675 SET_BITVAL(conn->tcp_wsf_disable, options, BIT_4);
3676 SET_BITVAL(conn->tcp_timer_scale & BIT_2, options, BIT_3);
3677 SET_BITVAL(conn->tcp_timer_scale & BIT_1, options, BIT_2);
3678 SET_BITVAL(conn->tcp_timer_scale & BIT_0, options, BIT_1);
3679 SET_BITVAL(conn->tcp_timestamp_en, options, BIT_0);
3680 fw_ddb_entry->tcp_options = cpu_to_le16(options);
3681
3682 options = le16_to_cpu(fw_ddb_entry->ip_options);
3683 SET_BITVAL(conn->fragment_disable, options, BIT_4);
3684 fw_ddb_entry->ip_options = cpu_to_le16(options);
3685
3686 fw_ddb_entry->iscsi_max_outsnd_r2t = cpu_to_le16(sess->max_r2t);
3687 fw_ddb_entry->iscsi_max_rcv_data_seg_len =
3688 cpu_to_le16(conn->max_recv_dlength / BYTE_UNITS);
3689 fw_ddb_entry->iscsi_max_snd_data_seg_len =
3690 cpu_to_le16(conn->max_xmit_dlength / BYTE_UNITS);
3691 fw_ddb_entry->iscsi_first_burst_len =
3692 cpu_to_le16(sess->first_burst / BYTE_UNITS);
3693 fw_ddb_entry->iscsi_max_burst_len = cpu_to_le16(sess->max_burst /
3694 BYTE_UNITS);
3695 fw_ddb_entry->iscsi_def_time2wait = cpu_to_le16(sess->time2wait);
3696 fw_ddb_entry->iscsi_def_time2retain = cpu_to_le16(sess->time2retain);
3697 fw_ddb_entry->tgt_portal_grp = cpu_to_le16(sess->tpgt);
3698 fw_ddb_entry->mss = cpu_to_le16(conn->max_segment_size);
3699 fw_ddb_entry->tcp_xmt_wsf = (uint8_t) cpu_to_le32(conn->tcp_xmit_wsf);
3700 fw_ddb_entry->tcp_rcv_wsf = (uint8_t) cpu_to_le32(conn->tcp_recv_wsf);
3701 fw_ddb_entry->ipv6_flow_lbl = cpu_to_le16(conn->ipv6_flow_label);
3702 fw_ddb_entry->ka_timeout = cpu_to_le16(conn->keepalive_timeout);
3703 fw_ddb_entry->lcl_port = cpu_to_le16(conn->local_port);
3704 fw_ddb_entry->stat_sn = cpu_to_le32(conn->statsn);
3705 fw_ddb_entry->exp_stat_sn = cpu_to_le32(conn->exp_statsn);
3706 fw_ddb_entry->ddb_link = cpu_to_le16(sess->discovery_parent_idx);
3707 fw_ddb_entry->chap_tbl_idx = cpu_to_le16(sess->chap_out_idx);
3708 fw_ddb_entry->tsid = cpu_to_le16(sess->tsid);
3709 fw_ddb_entry->port = cpu_to_le16(conn->port);
3710 fw_ddb_entry->def_timeout =
3711 cpu_to_le16(sess->default_taskmgmt_timeout);
3712
3713 if (!strncmp(sess->portal_type, PORTAL_TYPE_IPV6, 4))
3714 fw_ddb_entry->ipv4_tos = conn->ipv6_traffic_class;
3715 else
3716 fw_ddb_entry->ipv4_tos = conn->ipv4_tos;
3717
3718 if (conn->ipaddress)
3719 memcpy(fw_ddb_entry->ip_addr, conn->ipaddress,
3720 sizeof(fw_ddb_entry->ip_addr));
3721
3722 if (conn->redirect_ipaddr)
3723 memcpy(fw_ddb_entry->tgt_addr, conn->redirect_ipaddr,
3724 sizeof(fw_ddb_entry->tgt_addr));
The conn->redirect_ipaddr is IPv6_ADDR_LEN (16) bytes. It is allocated
in qla4xxx_copy_from_fwddb_param(). The w_ddb_entry->tgt_addr[] is a
32 byte buffer. So this is definitely a read overflow and copying
garbage from beyond the end of the buffer.
I guess ->redirect_ipaddr has the first part of fw_ddb_entry->tgt_addr?
3725
3726 if (conn->link_local_ipv6_addr)
3727 memcpy(fw_ddb_entry->link_local_ipv6_addr,
3728 conn->link_local_ipv6_addr,
3729 sizeof(fw_ddb_entry->link_local_ipv6_addr));
3730
3731 if (sess->targetname)
3732 memcpy(fw_ddb_entry->iscsi_name, sess->targetname,
3733 sizeof(fw_ddb_entry->iscsi_name));
3734
3735 if (sess->targetalias)
3736 memcpy(fw_ddb_entry->iscsi_alias, sess->targetalias,
3737 sizeof(fw_ddb_entry->iscsi_alias));
3738
3739 COPY_ISID(fw_ddb_entry->isid, sess->isid);
3740
3741 return rc;
3742 }
regards,
dan carpenter
