diff options
| author | Nicholas Bellinger <nab@linux-iscsi.org> | 2013-08-24 01:28:56 -0400 |
|---|---|---|
| committer | Nicholas Bellinger <nab@linux-iscsi.org> | 2013-08-24 01:51:16 -0400 |
| commit | 28aaa950320fc7b8df3f6d2d34fa7833391a9b72 (patch) | |
| tree | dca36099b9bf34d0d5f3b4cddce690a74da97493 /drivers/target/iscsi/iscsi_target.c | |
| parent | c9a03c12464c851e691e8d5b6c9deba779c512e0 (diff) | |
iscsi-target: Fix potential NULL pointer in solicited NOPOUT reject
This patch addresses a potential NULL pointer dereference regression in
iscsit_setup_nop_out() code, specifically for two cases when a solicited
NOPOUT triggers a ISCSI_REASON_PROTOCOL_ERROR reject to be generated.
This is because iscsi_cmd is expected to be NULL for solicited NOPOUT
case before iscsit_process_nop_out() locates the descriptor via TTT
using iscsit_find_cmd_from_ttt().
This regression was originally introduced in:
commit ba159914086f06532079fc15141f46ffe7e04a41
Author: Nicholas Bellinger <nab@linux-iscsi.org>
Date: Wed Jul 3 03:48:24 2013 -0700
iscsi-target: Fix iscsit_add_reject* usage for iser
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Diffstat (limited to 'drivers/target/iscsi/iscsi_target.c')
| -rw-r--r-- | drivers/target/iscsi/iscsi_target.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c index 8fd359cb7da0..3a179302b904 100644 --- a/drivers/target/iscsi/iscsi_target.c +++ b/drivers/target/iscsi/iscsi_target.c | |||
| @@ -1522,6 +1522,10 @@ int iscsit_setup_nop_out(struct iscsi_conn *conn, struct iscsi_cmd *cmd, | |||
| 1522 | if (hdr->itt == RESERVED_ITT && !(hdr->opcode & ISCSI_OP_IMMEDIATE)) { | 1522 | if (hdr->itt == RESERVED_ITT && !(hdr->opcode & ISCSI_OP_IMMEDIATE)) { |
| 1523 | pr_err("NOPOUT ITT is reserved, but Immediate Bit is" | 1523 | pr_err("NOPOUT ITT is reserved, but Immediate Bit is" |
| 1524 | " not set, protocol error.\n"); | 1524 | " not set, protocol error.\n"); |
| 1525 | if (!cmd) | ||
| 1526 | return iscsit_add_reject(conn, ISCSI_REASON_PROTOCOL_ERROR, | ||
| 1527 | (unsigned char *)hdr); | ||
| 1528 | |||
| 1525 | return iscsit_reject_cmd(cmd, ISCSI_REASON_PROTOCOL_ERROR, | 1529 | return iscsit_reject_cmd(cmd, ISCSI_REASON_PROTOCOL_ERROR, |
| 1526 | (unsigned char *)hdr); | 1530 | (unsigned char *)hdr); |
| 1527 | } | 1531 | } |
| @@ -1531,6 +1535,10 @@ int iscsit_setup_nop_out(struct iscsi_conn *conn, struct iscsi_cmd *cmd, | |||
| 1531 | " greater than MaxXmitDataSegmentLength: %u, protocol" | 1535 | " greater than MaxXmitDataSegmentLength: %u, protocol" |
| 1532 | " error.\n", payload_length, | 1536 | " error.\n", payload_length, |
| 1533 | conn->conn_ops->MaxXmitDataSegmentLength); | 1537 | conn->conn_ops->MaxXmitDataSegmentLength); |
| 1538 | if (!cmd) | ||
| 1539 | return iscsit_add_reject(conn, ISCSI_REASON_PROTOCOL_ERROR, | ||
| 1540 | (unsigned char *)hdr); | ||
| 1541 | |||
| 1534 | return iscsit_reject_cmd(cmd, ISCSI_REASON_PROTOCOL_ERROR, | 1542 | return iscsit_reject_cmd(cmd, ISCSI_REASON_PROTOCOL_ERROR, |
| 1535 | (unsigned char *)hdr); | 1543 | (unsigned char *)hdr); |
| 1536 | } | 1544 | } |