Commit 0ddee50e authored by Jitendra Bhivare's avatar Jitendra Bhivare Committed by Martin K. Petersen

scsi: be2iscsi: Check size before copying ASYNC handle

Data in buffers are gathered into a single buffer before giving to iSCSI
layer. Though less likely to have payload more than 8K in ASYNC PDU, the
data length is provide by FW and check is missing for overrun.
Signed-off-by: default avatarJitendra Bhivare <jitendra.bhivare@broadcom.com>
Reviewed-by: default avatarTomas Henzl <thenzl@redhat.com>
Reviewed-by: default avatarChris Leech <cleech@redhat.com>
Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
parent ba6983a7
...@@ -1611,6 +1611,10 @@ beiscsi_hdl_fwd_pdu(struct beiscsi_conn *beiscsi_conn, ...@@ -1611,6 +1611,10 @@ beiscsi_hdl_fwd_pdu(struct beiscsi_conn *beiscsi_conn,
dlen = pasync_handle->buffer_len; dlen = pasync_handle->buffer_len;
continue; continue;
} }
if (!pasync_handle->buffer_len ||
(dlen + pasync_handle->buffer_len) >
pasync_ctx->async_data.buffer_size)
break;
memcpy(pdata + dlen, pasync_handle->pbuffer, memcpy(pdata + dlen, pasync_handle->pbuffer,
pasync_handle->buffer_len); pasync_handle->buffer_len);
dlen += pasync_handle->buffer_len; dlen += pasync_handle->buffer_len;
...@@ -1619,8 +1623,9 @@ beiscsi_hdl_fwd_pdu(struct beiscsi_conn *beiscsi_conn, ...@@ -1619,8 +1623,9 @@ beiscsi_hdl_fwd_pdu(struct beiscsi_conn *beiscsi_conn,
if (!plast_handle->is_final) { if (!plast_handle->is_final) {
/* last handle should have final PDU notification from FW */ /* last handle should have final PDU notification from FW */
beiscsi_log(phba, KERN_ERR, BEISCSI_LOG_ISCSI, beiscsi_log(phba, KERN_ERR, BEISCSI_LOG_ISCSI,
"BM_%d : cid %u %p fwd async PDU with last handle missing - HL%u:DN%u:DR%u\n", "BM_%d : cid %u %p fwd async PDU opcode %x with last handle missing - HL%u:DN%u:DR%u\n",
beiscsi_conn->beiscsi_conn_cid, plast_handle, beiscsi_conn->beiscsi_conn_cid, plast_handle,
AMAP_GET_BITS(struct amap_pdu_base, opcode, phdr),
pasync_ctx->async_entry[cri].wq.hdr_len, pasync_ctx->async_entry[cri].wq.hdr_len,
pasync_ctx->async_entry[cri].wq.bytes_needed, pasync_ctx->async_entry[cri].wq.bytes_needed,
pasync_ctx->async_entry[cri].wq.bytes_received); pasync_ctx->async_entry[cri].wq.bytes_received);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment