aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/target/target_core_device.c
diff options
context:
space:
mode:
authorJörn Engel <joern@logfs.org>2012-02-16 11:14:27 -0500
committerNicholas Bellinger <nab@linux-iscsi.org>2012-02-25 17:37:50 -0500
commit99f730d88fd0a25c3e2dfc357bde4cf6b8cb5b40 (patch)
tree94b74e3bbceda90501e550543dfc82f0bde13917 /drivers/target/target_core_device.c
parent47f1b8803e1e358ebbf4f82bfdb98971c912a2c3 (diff)
target: Fix off-by-seven in target_report_luns
cdb_offset is always equal to offset - 8, so remove that one. More importantly, the existing code only worked correct if se_cmd->data_length is a multiple of 8. Pass in a length of, say, 9 and we will happily overwrite 7 bytes of "unallocated" memory. Now, afaics this bug is currently harmless, as allocations will implicitly be padded to multiples of 8 bytes. But depending on such a fact wouldn't qualify as sound engineering practice. Signed-off-by: Joern Engel <joern@logfs.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Diffstat (limited to 'drivers/target/target_core_device.c')
-rw-r--r--drivers/target/target_core_device.c5
1 files changed, 2 insertions, 3 deletions
diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
index 36fa75da085c..5cfaa4b6da42 100644
--- a/drivers/target/target_core_device.c
+++ b/drivers/target/target_core_device.c
@@ -650,7 +650,7 @@ int target_report_luns(struct se_task *se_task)
650 struct se_lun *se_lun; 650 struct se_lun *se_lun;
651 struct se_session *se_sess = se_cmd->se_sess; 651 struct se_session *se_sess = se_cmd->se_sess;
652 unsigned char *buf; 652 unsigned char *buf;
653 u32 cdb_offset = 0, lun_count = 0, offset = 8, i; 653 u32 lun_count = 0, offset = 8, i;
654 654
655 buf = transport_kmap_data_sg(se_cmd); 655 buf = transport_kmap_data_sg(se_cmd);
656 if (!buf) 656 if (!buf)
@@ -679,12 +679,11 @@ int target_report_luns(struct se_task *se_task)
679 * See SPC2-R20 7.19. 679 * See SPC2-R20 7.19.
680 */ 680 */
681 lun_count++; 681 lun_count++;
682 if ((cdb_offset + 8) >= se_cmd->data_length) 682 if ((offset + 8) > se_cmd->data_length)
683 continue; 683 continue;
684 684
685 int_to_scsilun(deve->mapped_lun, (struct scsi_lun *)&buf[offset]); 685 int_to_scsilun(deve->mapped_lun, (struct scsi_lun *)&buf[offset]);
686 offset += 8; 686 offset += 8;
687 cdb_offset += 8;
688 } 687 }
689 spin_unlock_irq(&se_sess->se_node_acl->device_list_lock); 688 spin_unlock_irq(&se_sess->se_node_acl->device_list_lock);
690 689