Sanitize the response lengths in order to prevent possible oopses
in the command response path.
Signed-off-by: Brian King <brking@xxxxxxxxxxxxxxxxxx>
---
drivers/scsi/ibmvscsi/ibmvfc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff -puN drivers/scsi/ibmvscsi/ibmvfc.c~ibmvfc_sanitize_sense drivers/scsi/ibmvscsi/ibmvfc.c
--- linux-2.6/drivers/scsi/ibmvscsi/ibmvfc.c~ibmvfc_sanitize_sense 2008-08-14 12:44:03.000000000 -0500
+++ linux-2.6-bjking1/drivers/scsi/ibmvscsi/ibmvfc.c 2008-08-14 12:44:03.000000000 -0500
@@ -1457,8 +1457,8 @@ static void ibmvfc_scsi_done(struct ibmv
struct ibmvfc_cmd *vfc_cmd = &evt->xfer_iu->cmd;
struct ibmvfc_fcp_rsp *rsp = &vfc_cmd->rsp;
struct scsi_cmnd *cmnd = evt->cmnd;
- int rsp_len = 0;
- int sense_len = rsp->fcp_sense_len;
+ u32 rsp_len = 0;
+ u32 sense_len = rsp->fcp_sense_len;
if (cmnd) {
if (vfc_cmd->response_flags & IBMVFC_ADAPTER_RESID_VALID)
@@ -1475,7 +1475,7 @@ static void ibmvfc_scsi_done(struct ibmv
rsp_len = rsp->fcp_rsp_len;
if ((sense_len + rsp_len) > SCSI_SENSE_BUFFERSIZE)
sense_len = SCSI_SENSE_BUFFERSIZE - rsp_len;
- if ((rsp->flags & FCP_SNS_LEN_VALID) && rsp->fcp_sense_len)
+ if ((rsp->flags & FCP_SNS_LEN_VALID) && rsp->fcp_sense_len && rsp_len <= 8)
memcpy(cmnd->sense_buffer, rsp->data.sense + rsp_len, sense_len);
ibmvfc_log_error(evt);
_
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
