From: Fubo Chen <fubo.chen@xxxxxxxxx>
This patch checks the passed 'unpacked_lun' against TRANSPORT_MAX_LUNS_PER_TPG
before reading from struct se_node_acl->device_list[].
Signed-off-by: Fubo Chen <fubo.chen@xxxxxxxxx>
Signed-off-by: Nicholas A. Bellinger <nab@xxxxxxxxxxxxxxx>
---
drivers/target/target_core_device.c | 12 ++++++++++++
1 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
index ba698ea..f5516a1 100644
--- a/drivers/target/target_core_device.c
+++ b/drivers/target/target_core_device.c
@@ -65,6 +65,12 @@ int transport_get_lun_for_cmd(
unsigned long flags;
int read_only = 0;
+ if (unpacked_lun >= TRANSPORT_MAX_LUNS_PER_TPG) {
+ se_cmd->scsi_sense_reason = TCM_NON_EXISTENT_LUN;
+ se_cmd->se_cmd_flags |= SCF_SCSI_CDB_EXCEPTION;
+ return -1;
+ }
+
spin_lock_irq(&SE_NODE_ACL(se_sess)->device_list_lock);
deve = se_cmd->se_deve =
&SE_NODE_ACL(se_sess)->device_list[unpacked_lun];
@@ -187,6 +193,12 @@ int transport_get_lun_for_tmr(
struct se_session *se_sess = SE_SESS(se_cmd);
struct se_tmr_req *se_tmr = se_cmd->se_tmr_req;
+ if (unpacked_lun >= TRANSPORT_MAX_LUNS_PER_TPG) {
+ se_cmd->scsi_sense_reason = TCM_NON_EXISTENT_LUN;
+ se_cmd->se_cmd_flags |= SCF_SCSI_CDB_EXCEPTION;
+ return -1;
+ }
+
spin_lock_irq(&SE_NODE_ACL(se_sess)->device_list_lock);
deve = se_cmd->se_deve =
&SE_NODE_ACL(se_sess)->device_list[unpacked_lun];
--
1.7.6
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
