[SCSI] ibmvfc: Sanitize response lengths
Sanitize the response lengths in order to prevent possible oopses in the command response path. Signed-off-by: Brian King <brking@linux.vnet.ibm.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
This commit is contained in:
Brian King
James Bottomley
parent
cf6f10d794
commit
2bac406df5
|
|
@ -1457,8 +1457,8 @@ static void ibmvfc_scsi_done(struct ibmvfc_event *evt)
|
||||||
struct ibmvfc_cmd *vfc_cmd = &evt->xfer_iu->cmd;
|
struct ibmvfc_cmd *vfc_cmd = &evt->xfer_iu->cmd;
|
||||||
struct ibmvfc_fcp_rsp *rsp = &vfc_cmd->rsp;
|
struct ibmvfc_fcp_rsp *rsp = &vfc_cmd->rsp;
|
||||||
struct scsi_cmnd *cmnd = evt->cmnd;
|
struct scsi_cmnd *cmnd = evt->cmnd;
|
||||||
int rsp_len = 0;
|
u32 rsp_len = 0;
|
||||||
int sense_len = rsp->fcp_sense_len;
|
u32 sense_len = rsp->fcp_sense_len;
|
||||||
|
|
||||||
if (cmnd) {
|
if (cmnd) {
|
||||||
if (vfc_cmd->response_flags & IBMVFC_ADAPTER_RESID_VALID)
|
if (vfc_cmd->response_flags & IBMVFC_ADAPTER_RESID_VALID)
|
||||||
|
|
@ -1475,7 +1475,7 @@ static void ibmvfc_scsi_done(struct ibmvfc_event *evt)
|
||||||
rsp_len = rsp->fcp_rsp_len;
|
rsp_len = rsp->fcp_rsp_len;
|
||||||
if ((sense_len + rsp_len) > SCSI_SENSE_BUFFERSIZE)
|
if ((sense_len + rsp_len) > SCSI_SENSE_BUFFERSIZE)
|
||||||
sense_len = SCSI_SENSE_BUFFERSIZE - rsp_len;
|
sense_len = SCSI_SENSE_BUFFERSIZE - rsp_len;
|
||||||
if ((rsp->flags & FCP_SNS_LEN_VALID) && rsp->fcp_sense_len)
|
if ((rsp->flags & FCP_SNS_LEN_VALID) && rsp->fcp_sense_len && rsp_len <= 8)
|
||||||
memcpy(cmnd->sense_buffer, rsp->data.sense + rsp_len, sense_len);
|
memcpy(cmnd->sense_buffer, rsp->data.sense + rsp_len, sense_len);
|
||||||
|
|
||||||
ibmvfc_log_error(evt);
|
ibmvfc_log_error(evt);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue