aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRaghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>2017-08-04 06:51:41 -0400
committerMartin K. Petersen <martin.petersen@oracle.com>2017-08-16 20:01:31 -0400
commitc80267324938a5517fd31fa4bbd2d63c564401f9 (patch)
treeaa4ec116dd65eb4893df36cb2c4fa3d02ceebef0
parent82f0fd06d4a84ff32cc2cf9503764219316ec728 (diff)
scsi: aacraid: Fix out of bounds in aac_get_name_resp
We terminate the aac_get_name_resp on a byte that is outside the bounds of the structure. Extend the return response by one byte to remove the out of bounds reference. Fixes: b836439faf04 ("aacraid: 4KB sector support") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David Carroll <david.carroll@microsemi.com> Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com> Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Diffstat
-rw-r--r--drivers/scsi/aacraid/aachba.c9
-rw-r--r--drivers/scsi/aacraid/aacraid.h2
2 files changed, 8 insertions, 3 deletions
diff --git a/drivers/scsi/aacraid/aachba.c b/drivers/scsi/aacraid/aachba.c
index 4591113c49de..a1a2c71e1626 100644
--- a/drivers/scsi/aacraid/aachba.c
+++ b/drivers/scsi/aacraid/aachba.c
@@ -549,7 +549,9 @@ static void get_container_name_callback(void *context, struct fib * fibptr)
549 if ((le32_to_cpu(get_name_reply->status) == CT_OK) 549 if ((le32_to_cpu(get_name_reply->status) == CT_OK)
550 && (get_name_reply->data[0] != '\0')) { 550 && (get_name_reply->data[0] != '\0')) {
551 char *sp = get_name_reply->data; 551 char *sp = get_name_reply->data;
552 sp[sizeof(((struct aac_get_name_resp *)NULL)->data)] = '\0'; 552 int data_size = FIELD_SIZEOF(struct aac_get_name_resp, data);
553
554 sp[data_size - 1] = '\0';
553 while (*sp == ' ') 555 while (*sp == ' ')
554 ++sp; 556 ++sp;
555 if (*sp) { 557 if (*sp) {
@@ -579,12 +581,15 @@ static void get_container_name_callback(void *context, struct fib * fibptr)
579static int aac_get_container_name(struct scsi_cmnd * scsicmd) 581static int aac_get_container_name(struct scsi_cmnd * scsicmd)
580{ 582{
581 int status; 583 int status;
584 int data_size;
582 struct aac_get_name *dinfo; 585 struct aac_get_name *dinfo;
583 struct fib * cmd_fibcontext; 586 struct fib * cmd_fibcontext;
584 struct aac_dev * dev; 587 struct aac_dev * dev;
585 588
586 dev = (struct aac_dev *)scsicmd->device->host->hostdata; 589 dev = (struct aac_dev *)scsicmd->device->host->hostdata;
587 590
591 data_size = FIELD_SIZEOF(struct aac_get_name_resp, data);
592
588 cmd_fibcontext = aac_fib_alloc_tag(dev, scsicmd); 593 cmd_fibcontext = aac_fib_alloc_tag(dev, scsicmd);
589 594
590 aac_fib_init(cmd_fibcontext); 595 aac_fib_init(cmd_fibcontext);
@@ -593,7 +598,7 @@ static int aac_get_container_name(struct scsi_cmnd * scsicmd)
593 dinfo->command = cpu_to_le32(VM_ContainerConfig); 598 dinfo->command = cpu_to_le32(VM_ContainerConfig);
594 dinfo->type = cpu_to_le32(CT_READ_NAME); 599 dinfo->type = cpu_to_le32(CT_READ_NAME);
595 dinfo->cid = cpu_to_le32(scmd_id(scsicmd)); 600 dinfo->cid = cpu_to_le32(scmd_id(scsicmd));
596 dinfo->count = cpu_to_le32(sizeof(((struct aac_get_name_resp *)NULL)->data)); 601 dinfo->count = cpu_to_le32(data_size - 1);
597 602
598 status = aac_fib_send(ContainerCommand, 603 status = aac_fib_send(ContainerCommand,
599 cmd_fibcontext, 604 cmd_fibcontext,
diff --git a/drivers/scsi/aacraid/aacraid.h b/drivers/scsi/aacraid/aacraid.h
index d31a9bc2ba69..ee2667e20e42 100644
--- a/drivers/scsi/aacraid/aacraid.h
+++ b/drivers/scsi/aacraid/aacraid.h
@@ -2274,7 +2274,7 @@ struct aac_get_name_resp {
2274 __le32 parm3; 2274 __le32 parm3;
2275 __le32 parm4; 2275 __le32 parm4;
2276 __le32 parm5; 2276 __le32 parm5;
2277 u8 data[16]; 2277 u8 data[17];
2278}; 2278};
2279 2279
2280#define CT_CID_TO_32BITS_UID 165 2280#define CT_CID_TO_32BITS_UID 165
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-28 05:58:00 -0400