diff options
| author | Joe Eykholt <jeykholt@cisco.com> | 2009-11-03 14:48:55 -0500 |
|---|---|---|
| committer | James Bottomley <James.Bottomley@suse.de> | 2009-12-04 13:01:16 -0500 |
| commit | 5f9a056db9c7973c46337ec8d034323aa72bf206 (patch) | |
| tree | 2b61b80ddfcd82fc415856306b791b870e3544d2 | |
| parent | 6049d95a8a223e2dc3a476dea9f0fbc9b580f38f (diff) | |
[SCSI] libfc: fix symbolic name registrations smashing skb data
The strncpy for RSPN_ID and RSNN_NN requests was padding
past the allocated frame size.
Get the string length before filling in the ct header.
Signed-off-by: Joe Eykholt <jeykholt@cisco.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
| -rw-r--r-- | include/scsi/fc_encode.h | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/include/scsi/fc_encode.h b/include/scsi/fc_encode.h index c8968d31c610..ab2260cb149c 100644 --- a/include/scsi/fc_encode.h +++ b/include/scsi/fc_encode.h | |||
| @@ -111,6 +111,7 @@ static inline int fc_ct_fill(struct fc_lport *lport, | |||
| 111 | enum fc_fh_type *fh_type) | 111 | enum fc_fh_type *fh_type) |
| 112 | { | 112 | { |
| 113 | struct fc_ct_req *ct; | 113 | struct fc_ct_req *ct; |
| 114 | size_t len; | ||
| 114 | 115 | ||
| 115 | switch (op) { | 116 | switch (op) { |
| 116 | case FC_NS_GPN_FT: | 117 | case FC_NS_GPN_FT: |
| @@ -138,22 +139,22 @@ static inline int fc_ct_fill(struct fc_lport *lport, | |||
| 138 | break; | 139 | break; |
| 139 | 140 | ||
| 140 | case FC_NS_RSPN_ID: | 141 | case FC_NS_RSPN_ID: |
| 141 | ct = fc_ct_hdr_fill(fp, op, sizeof(struct fc_ns_rspn)); | 142 | len = strnlen(fc_host_symbolic_name(lport->host), 255); |
| 143 | ct = fc_ct_hdr_fill(fp, op, sizeof(struct fc_ns_rspn) + len); | ||
| 142 | hton24(ct->payload.spn.fr_fid.fp_fid, | 144 | hton24(ct->payload.spn.fr_fid.fp_fid, |
| 143 | fc_host_port_id(lport->host)); | 145 | fc_host_port_id(lport->host)); |
| 144 | strncpy(ct->payload.spn.fr_name, | 146 | strncpy(ct->payload.spn.fr_name, |
| 145 | fc_host_symbolic_name(lport->host), 255); | 147 | fc_host_symbolic_name(lport->host), len); |
| 146 | ct->payload.spn.fr_name_len = | 148 | ct->payload.spn.fr_name_len = len; |
| 147 | strnlen(ct->payload.spn.fr_name, 255); | ||
| 148 | break; | 149 | break; |
| 149 | 150 | ||
| 150 | case FC_NS_RSNN_NN: | 151 | case FC_NS_RSNN_NN: |
| 151 | ct = fc_ct_hdr_fill(fp, op, sizeof(struct fc_ns_rsnn)); | 152 | len = strnlen(fc_host_symbolic_name(lport->host), 255); |
| 153 | ct = fc_ct_hdr_fill(fp, op, sizeof(struct fc_ns_rsnn) + len); | ||
| 152 | put_unaligned_be64(lport->wwnn, &ct->payload.snn.fr_wwn); | 154 | put_unaligned_be64(lport->wwnn, &ct->payload.snn.fr_wwn); |
| 153 | strncpy(ct->payload.snn.fr_name, | 155 | strncpy(ct->payload.snn.fr_name, |
| 154 | fc_host_symbolic_name(lport->host), 255); | 156 | fc_host_symbolic_name(lport->host), len); |
| 155 | ct->payload.snn.fr_name_len = | 157 | ct->payload.snn.fr_name_len = len; |
| 156 | strnlen(ct->payload.snn.fr_name, 255); | ||
| 157 | break; | 158 | break; |
| 158 | 159 | ||
| 159 | default: | 160 | default: |