From: Alexander Nezhinsky <nezhinsky@xxxxxxxxx> Generate PGR caps data-in in a separate buffer and safe-copy it to the command buffer taking into account the allocation length. Set the actual transfer len correctly. Signed-off-by: Alexander Nezhinsky <nezhinsky@xxxxxxxxx> --- usr/spc.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/usr/spc.c b/usr/spc.c index 8c5ad55..a80820b 100644 --- a/usr/spc.c +++ b/usr/spc.c @@ -986,25 +986,22 @@ sense: static int spc_pr_report_capabilities(int host_no, struct scsi_cmd *cmd) { + uint32_t alloc_len, avail_len, actual_len; + uint8_t *data, buf[8]; uint16_t asc = ASC_INVALID_FIELD_IN_CDB; uint8_t key = ILLEGAL_REQUEST; - uint8_t *buf; - uint16_t len; - len = get_unaligned_be16(cmd->scb + 7); - if (len < 8) + alloc_len = (uint32_t)get_unaligned_be16(&cmd->scb[7]); + if (alloc_len < 8) goto sense; - if (scsi_get_in_length(cmd) < len) + if (scsi_get_in_length(cmd) < alloc_len) goto sense; - buf = scsi_get_in_buffer(cmd); - - len = 8; - - memset(buf, 0, len); + memset(buf, 0, 8); + avail_len = 8; - put_unaligned_be16(len, &buf[0]); + put_unaligned_be16(avail_len, &buf[0]); /* length */ /* we don't set any capability for now */ @@ -1018,6 +1015,10 @@ static int spc_pr_report_capabilities(int host_no, struct scsi_cmd *cmd) buf[4] |= 0x02; /* PR_TYPE_WRITE_EXCLUSIVE */ buf[5] |= 0x01; /* PR_TYPE_EXCLUSIVE_ACCESS_ALLREG */ + data = scsi_get_in_buffer(cmd); + actual_len = spc_memcpy(data, &alloc_len, buf, avail_len); + scsi_set_in_resid_by_actual(cmd, actual_len); + return SAM_STAT_GOOD; sense: scsi_set_in_resid_by_actual(cmd, 0); -- 1.7.9.6 -- To unsubscribe from this list: send the line "unsubscribe stgt" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html