From: Alexander Nezhinsky <nezhinsky@xxxxxxxxx>
SPC-3, Table 170, "PERSISTENT RESERVE OUT command" defines PARAMETER LIST LENGTH
as spanning from byte 5 (MSB) to byte 8 (LSB). Need to extract BE 32bit value
starting at 5th byte, and not 16bit value starting at 7 byte.
SPC-3, 6.14.1 states:
"the PARAMETER LIST LENGTH field shall contain 24 (18h), if the
following conditions are true:
a) The SPEC_I_PT bit (see 6.14.3) is set to zero; and
b) The service action is not REGISTER AND MOVE."
As check_pr_out_basic_parameter() covers exactly the above case, we should
stipulate parameter list length to be exactly 24 bytes and data transfer length
to be at least 24 bytes.
Signed-off-by: Alexander Nezhinsky <nezhinsky@xxxxxxxxx>
---
usr/spc.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/usr/spc.c b/usr/spc.c
index cbe369a..0decaf3 100644
--- a/usr/spc.c
+++ b/usr/spc.c
@@ -1060,14 +1060,15 @@ static void __unregister(struct scsi_lu *lu, struct registration *reg)
static int check_pr_out_basic_parameter(struct scsi_cmd *cmd)
{
- uint8_t spec_i_pt, all_tg_pt, aptpl;
+ uint32_t param_list_len;
uint8_t *buf;
- uint16_t len = 24;
+ uint8_t spec_i_pt, all_tg_pt, aptpl;
- if (get_unaligned_be16(cmd->scb + 7) < len)
+ param_list_len = get_unaligned_be32(&cmd->scb[5]);
+ if (param_list_len != 24)
return 1;
- if (scsi_get_out_length(cmd) < len)
+ if (scsi_get_out_length(cmd) < 24)
return 1;
buf = scsi_get_out_buffer(cmd);
--
1.7.9.6
--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
