Similar to the handling of iscsit_get_immediate_data in commit abb85a9b512e
("iscsi-target: Reject immediate data underflow larger than SCSI transfer length"),
we thought a patch might be needed here as well.
Signed-off-by: Xiaohui Zhang <xiaohuizhang@xxxxxxxxxx>
---
drivers/target/iscsi/cxgbit/cxgbit_target.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/target/iscsi/cxgbit/cxgbit_target.c b/drivers/target/iscsi/cxgbit/cxgbit_target.c
index acfc39683c87..800bec4b1e88 100644
--- a/drivers/target/iscsi/cxgbit/cxgbit_target.c
+++ b/drivers/target/iscsi/cxgbit/cxgbit_target.c
@@ -920,6 +920,18 @@ cxgbit_get_immediate_data(struct iscsit_cmd *cmd, struct iscsi_scsi_req *hdr,
*/
if (dump_payload)
goto after_immediate_data;
+ /*
+ * Check for underflow case where both EDTL and immediate data payload
+ * exceeds what is presented by CDB's TRANSFER LENGTH, and what has
+ * already been set in target_cmd_size_check() as se_cmd->data_length.
+ *
+ * For this special case, fail the command and dump the immediate data
+ * payload.
+ */
+ if (cmd->first_burst_len > cmd->se_cmd.data_length) {
+ cmd->sense_reason = TCM_INVALID_CDB_FIELD;
+ goto after_immediate_data;
+ }
immed_ret = cxgbit_handle_immediate_data(cmd, hdr,
cmd->first_burst_len);
--
2.17.1
