Fix a bug in the interpretation of the ADDITIONAL CDB LENGTH (add_cdb_len)
field of SRP_CMD requests. According to the SRP specification, the layout
of this single-byte field is as follows:
* Bits 0 and 1 are reserved.
* Bits 2 to 7 represent the ADDITIONAL CDB LENGTH field, symbolically
represented as n.
* Still according to the SRP specification, the ADDITIONAL CDB section
takes 4*n bytes.
Currently libsrp is only used by the ibmvscsi driver. Since the ibmvscsi
driver doesn't support large CDB's, this bug hasn't caused any problems yet.
Signed-off-by: Bart Van Assche <bart.vanassche@xxxxxxxxx>
Cc: James E.J. Bottomley <James.Bottomley@xxxxxxx>
Cc: FUJITA Tomonori <fujita.tomonori@xxxxxxxxxxxxx>
Cc: Brian King <brking@xxxxxxxxxxxxxxxxxx>
diff --git a/drivers/scsi/libsrp.c b/drivers/scsi/libsrp.c
index 9ad38e8..710919f 100644
--- a/drivers/scsi/libsrp.c
+++ b/drivers/scsi/libsrp.c
@@ -327,7 +327,7 @@ int srp_transfer_data(struct scsi_cmnd *sc, struct srp_cmd *cmd,
int offset, err = 0;
u8 format;
- offset = cmd->add_cdb_len * 4;
+ offset = (cmd->add_cdb_len >> 2) * 4;
dir = srp_cmd_direction(cmd);
if (dir == DMA_FROM_DEVICE)
@@ -365,7 +365,7 @@ static int vscsis_data_length(struct srp_cmd *cmd, enum dma_data_direction dir)
{
struct srp_direct_buf *md;
struct srp_indirect_buf *id;
- int len = 0, offset = cmd->add_cdb_len * 4;
+ int len = 0, offset = (cmd->add_cdb_len >> 2) * 4;
u8 fmt;
if (dir == DMA_TO_DEVICE)
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
