[SCSI] ibmvfc: Sanitize response lengths

Sanitize the response lengths in order to prevent possible oopses in the command response path. Signed-off-by: Brian King <brking@linux.vnet.ibm.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
author: Brian King <brking@linux.vnet.ibm.com> 2008-08-15 11:59:26 -0400
committer: James Bottomley <James.Bottomley@HansenPartnership.com> 2008-08-16 11:49:01 -0400
commit: 2bac406df52100aec42e230a2cc2986d34e86218 (patch)
tree: a862e7a4ac91f9aceff797fc728619a7251b3db5 /drivers/scsi
parent: cf6f10d794ab4a9bd84fce345c3947588670d5f5 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c
index 58f8c9e39ae8..6ecc0ddd4440 100644
--- a/drivers/scsi/ibmvscsi/ibmvfc.c
+++ b/drivers/scsi/ibmvscsi/ibmvfc.c
@@ -1457,8 +1457,8 @@ static void ibmvfc_scsi_done(struct ibmvfc_event *evt)
        struct ibmvfc_cmd *vfc_cmd = &evt->xfer_iu->cmd;
        struct ibmvfc_fcp_rsp *rsp = &vfc_cmd->rsp;
        struct scsi_cmnd *cmnd = evt->cmnd;
-        int rsp_len = 0;
+        u32 rsp_len = 0;
-        int sense_len = rsp->fcp_sense_len;
+        u32 sense_len = rsp->fcp_sense_len;
        if (cmnd) {
                if (vfc_cmd->response_flags & IBMVFC_ADAPTER_RESID_VALID)
@@ -1475,7 +1475,7 @@ static void ibmvfc_scsi_done(struct ibmvfc_event *evt)
                                rsp_len = rsp->fcp_rsp_len;
                        if ((sense_len + rsp_len) > SCSI_SENSE_BUFFERSIZE)
                                sense_len = SCSI_SENSE_BUFFERSIZE - rsp_len;
-                        if ((rsp->flags & FCP_SNS_LEN_VALID) && rsp->fcp_sense_len)
+                        if ((rsp->flags & FCP_SNS_LEN_VALID) && rsp->fcp_sense_len && rsp_len <= 8)
                                memcpy(cmnd->sense_buffer, rsp->data.sense + rsp_len, sense_len);
                        ibmvfc_log_error(evt);
author	Brian King <brking@linux.vnet.ibm.com>	2008-08-15 11:59:26 -0400
committer	James Bottomley <James.Bottomley@HansenPartnership.com>	2008-08-16 11:49:01 -0400
commit	2bac406df52100aec42e230a2cc2986d34e86218 (patch)
tree	a862e7a4ac91f9aceff797fc728619a7251b3db5 /drivers/scsi
parent	cf6f10d794ab4a9bd84fce345c3947588670d5f5 (diff)

diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c index 58f8c9e39ae8..6ecc0ddd4440 100644 --- a/drivers/scsi/ibmvscsi/ibmvfc.c +++ b/drivers/scsi/ibmvscsi/ibmvfc.c
@@ -1457,8 +1457,8 @@ static void ibmvfc_scsi_done(struct ibmvfc_event *evt)
1457	struct ibmvfc_cmd *vfc_cmd = &evt->xfer_iu->cmd;	1457	struct ibmvfc_cmd *vfc_cmd = &evt->xfer_iu->cmd;
1458	struct ibmvfc_fcp_rsp *rsp = &vfc_cmd->rsp;	1458	struct ibmvfc_fcp_rsp *rsp = &vfc_cmd->rsp;
1459	struct scsi_cmnd *cmnd = evt->cmnd;	1459	struct scsi_cmnd *cmnd = evt->cmnd;
1460	int rsp_len = 0;	1460	u32 rsp_len = 0;
1461	int sense_len = rsp->fcp_sense_len;	1461	u32 sense_len = rsp->fcp_sense_len;
1462		1462
1463	if (cmnd) {	1463	if (cmnd) {
1464	if (vfc_cmd->response_flags & IBMVFC_ADAPTER_RESID_VALID)	1464	if (vfc_cmd->response_flags & IBMVFC_ADAPTER_RESID_VALID)
@@ -1475,7 +1475,7 @@ static void ibmvfc_scsi_done(struct ibmvfc_event *evt)
1475	rsp_len = rsp->fcp_rsp_len;	1475	rsp_len = rsp->fcp_rsp_len;
1476	if ((sense_len + rsp_len) > SCSI_SENSE_BUFFERSIZE)	1476	if ((sense_len + rsp_len) > SCSI_SENSE_BUFFERSIZE)
1477	sense_len = SCSI_SENSE_BUFFERSIZE - rsp_len;	1477	sense_len = SCSI_SENSE_BUFFERSIZE - rsp_len;
1478	if ((rsp->flags & FCP_SNS_LEN_VALID) && rsp->fcp_sense_len)	1478	if ((rsp->flags & FCP_SNS_LEN_VALID) && rsp->fcp_sense_len && rsp_len <= 8)
1479	memcpy(cmnd->sense_buffer, rsp->data.sense + rsp_len, sense_len);	1479	memcpy(cmnd->sense_buffer, rsp->data.sense + rsp_len, sense_len);
1480		1480
1481	ibmvfc_log_error(evt);	1481	ibmvfc_log_error(evt);