When processing received frames, various checks should be issued to
make sure that the info carried is correct.
Here check for fcp_resp_rsp_info is added, or mm overflow could happen.
Computation for respl is also added, which looks like a beetle, but I
am not sure.
Signed-off-by: Hillf Danton <dhillf@xxxxxxxxx>
---
--- a/drivers/scsi/libfc/fc_fcp.c 2010-11-01 19:54:12.000000000 +0800
+++ b/drivers/scsi/libfc/fc_fcp.c 2010-12-03 21:53:48.000000000 +0800
@@ -845,8 +845,12 @@ static void fc_fcp_resp(struct fc_fcp_pk
}
if (flags & FCP_SNS_LEN_VAL) {
snsl = ntohl(rp_ex->fr_sns_len);
+ respl = ntohl(rp_ex->fr_rsp_len);
if (snsl > SCSI_SENSE_BUFFERSIZE)
snsl = SCSI_SENSE_BUFFERSIZE;
+ if (plen < sizeof(*fc_rp) + sizeof(*rp_ex) +
+ respl + snsl);
+ goto len_err;
memcpy(fsp->cmd->sense_buffer,
(char *)fc_rp_info + respl, snsl);
}
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
