diff options
author | Stephen M. Cameron <scameron@beardog.cce.hp.com> | 2011-01-06 15:47:48 -0500 |
---|---|---|
committer | James Bottomley <James.Bottomley@suse.de> | 2011-01-24 12:28:48 -0500 |
commit | b03a7771c81a0d5f026250c8cd4091d9ee767fdc (patch) | |
tree | 15545ae189534e7113754b731b03eebf8d83ef83 | |
parent | 5fd1062fdfde39bbc0092ce91e7eedee1007eb96 (diff) |
[SCSI] hpsa: defend against zero sized buffers in passthru ioctls
Signed-off-by: Stephen M. Cameron <scameron@beardog.cce.hp.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
-rw-r--r-- | drivers/scsi/hpsa.c | 36 |
1 files changed, 16 insertions, 20 deletions
diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c index 12deffccb8da..e4b5f3cda82e 100644 --- a/drivers/scsi/hpsa.c +++ b/drivers/scsi/hpsa.c | |||
@@ -2433,15 +2433,17 @@ static int hpsa_passthru_ioctl(struct ctlr_info *h, void __user *argp) | |||
2433 | buff = kmalloc(iocommand.buf_size, GFP_KERNEL); | 2433 | buff = kmalloc(iocommand.buf_size, GFP_KERNEL); |
2434 | if (buff == NULL) | 2434 | if (buff == NULL) |
2435 | return -EFAULT; | 2435 | return -EFAULT; |
2436 | } | 2436 | if (iocommand.Request.Type.Direction == XFER_WRITE) { |
2437 | if (iocommand.Request.Type.Direction == XFER_WRITE) { | 2437 | /* Copy the data into the buffer we created */ |
2438 | /* Copy the data into the buffer we created */ | 2438 | if (copy_from_user(buff, iocommand.buf, |
2439 | if (copy_from_user(buff, iocommand.buf, iocommand.buf_size)) { | 2439 | iocommand.buf_size)) { |
2440 | kfree(buff); | 2440 | kfree(buff); |
2441 | return -EFAULT; | 2441 | return -EFAULT; |
2442 | } | ||
2443 | } else { | ||
2444 | memset(buff, 0, iocommand.buf_size); | ||
2442 | } | 2445 | } |
2443 | } else | 2446 | } |
2444 | memset(buff, 0, iocommand.buf_size); | ||
2445 | c = cmd_special_alloc(h); | 2447 | c = cmd_special_alloc(h); |
2446 | if (c == NULL) { | 2448 | if (c == NULL) { |
2447 | kfree(buff); | 2449 | kfree(buff); |
@@ -2487,8 +2489,8 @@ static int hpsa_passthru_ioctl(struct ctlr_info *h, void __user *argp) | |||
2487 | cmd_special_free(h, c); | 2489 | cmd_special_free(h, c); |
2488 | return -EFAULT; | 2490 | return -EFAULT; |
2489 | } | 2491 | } |
2490 | 2492 | if (iocommand.Request.Type.Direction == XFER_READ && | |
2491 | if (iocommand.Request.Type.Direction == XFER_READ) { | 2493 | iocommand.buf_size > 0) { |
2492 | /* Copy the data out of the buffer we created */ | 2494 | /* Copy the data out of the buffer we created */ |
2493 | if (copy_to_user(iocommand.buf, buff, iocommand.buf_size)) { | 2495 | if (copy_to_user(iocommand.buf, buff, iocommand.buf_size)) { |
2494 | kfree(buff); | 2496 | kfree(buff); |
@@ -2581,14 +2583,7 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h, void __user *argp) | |||
2581 | } | 2583 | } |
2582 | c->cmd_type = CMD_IOCTL_PEND; | 2584 | c->cmd_type = CMD_IOCTL_PEND; |
2583 | c->Header.ReplyQueue = 0; | 2585 | c->Header.ReplyQueue = 0; |
2584 | 2586 | c->Header.SGList = c->Header.SGTotal = sg_used; | |
2585 | if (ioc->buf_size > 0) { | ||
2586 | c->Header.SGList = sg_used; | ||
2587 | c->Header.SGTotal = sg_used; | ||
2588 | } else { | ||
2589 | c->Header.SGList = 0; | ||
2590 | c->Header.SGTotal = 0; | ||
2591 | } | ||
2592 | memcpy(&c->Header.LUN, &ioc->LUN_info, sizeof(c->Header.LUN)); | 2587 | memcpy(&c->Header.LUN, &ioc->LUN_info, sizeof(c->Header.LUN)); |
2593 | c->Header.Tag.lower = c->busaddr; | 2588 | c->Header.Tag.lower = c->busaddr; |
2594 | memcpy(&c->Request, &ioc->Request, sizeof(c->Request)); | 2589 | memcpy(&c->Request, &ioc->Request, sizeof(c->Request)); |
@@ -2605,7 +2600,8 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h, void __user *argp) | |||
2605 | } | 2600 | } |
2606 | } | 2601 | } |
2607 | hpsa_scsi_do_simple_cmd_core(h, c); | 2602 | hpsa_scsi_do_simple_cmd_core(h, c); |
2608 | hpsa_pci_unmap(h->pdev, c, sg_used, PCI_DMA_BIDIRECTIONAL); | 2603 | if (sg_used) |
2604 | hpsa_pci_unmap(h->pdev, c, sg_used, PCI_DMA_BIDIRECTIONAL); | ||
2609 | check_ioctl_unit_attention(h, c); | 2605 | check_ioctl_unit_attention(h, c); |
2610 | /* Copy the error information out */ | 2606 | /* Copy the error information out */ |
2611 | memcpy(&ioc->error_info, c->err_info, sizeof(ioc->error_info)); | 2607 | memcpy(&ioc->error_info, c->err_info, sizeof(ioc->error_info)); |
@@ -2614,7 +2610,7 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h, void __user *argp) | |||
2614 | status = -EFAULT; | 2610 | status = -EFAULT; |
2615 | goto cleanup1; | 2611 | goto cleanup1; |
2616 | } | 2612 | } |
2617 | if (ioc->Request.Type.Direction == XFER_READ) { | 2613 | if (ioc->Request.Type.Direction == XFER_READ && ioc->buf_size > 0) { |
2618 | /* Copy the data out of the buffer we created */ | 2614 | /* Copy the data out of the buffer we created */ |
2619 | BYTE __user *ptr = ioc->buf; | 2615 | BYTE __user *ptr = ioc->buf; |
2620 | for (i = 0; i < sg_used; i++) { | 2616 | for (i = 0; i < sg_used; i++) { |