Ensures the first page entry is within bounds. A failed check would
terminate the iSCSI connection instead of causing a NULL-dereference.
This violation seems to happen with certain iSCSI commands where the
computed CDB length is zero but the expected transfer length is
non-zero. The real problem is probably on the iSCSI initiator side
since there is a discrepancy between the iSCSI header and the
encapsulated CDB Opcode.
Signed-off-by: Imran Haider <imran1008@xxxxxxxxx>
---
drivers/target/iscsi/iscsi_target.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
index 961202f..963e9a7 100644
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -737,7 +737,14 @@ static int iscsit_map_iovec(
/*
* We know each entry in t_data_sg contains a page.
*/
- sg = &cmd->se_cmd.t_data_sg[data_offset / PAGE_SIZE];
+ u32 ent = data_offset / PAGE_SIZE;
+
+ if (ent >= cmd->se_cmd.t_data_nents) {
+ pr_err("Initial page entry out-of-bounds\n");
+ return -1;
+ }
+
+ sg = &cmd->se_cmd.t_data_sg[ent];
page_off = (data_offset % PAGE_SIZE);
cmd->first_data_sg = sg;
--
2.8.0
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
