aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorBrian King <brking@linux.vnet.ibm.com>2008-08-15 11:59:26 -0400
committerJames Bottomley <James.Bottomley@HansenPartnership.com>2008-08-16 11:49:01 -0400
commit2bac406df52100aec42e230a2cc2986d34e86218 (patch)
treea862e7a4ac91f9aceff797fc728619a7251b3db5 /drivers
parentcf6f10d794ab4a9bd84fce345c3947588670d5f5 (diff)
[SCSI] ibmvfc: Sanitize response lengths
Sanitize the response lengths in order to prevent possible oopses in the command response path. Signed-off-by: Brian King <brking@linux.vnet.ibm.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/scsi/ibmvscsi/ibmvfc.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c
index 58f8c9e39ae8..6ecc0ddd4440 100644
--- a/drivers/scsi/ibmvscsi/ibmvfc.c
+++ b/drivers/scsi/ibmvscsi/ibmvfc.c
@@ -1457,8 +1457,8 @@ static void ibmvfc_scsi_done(struct ibmvfc_event *evt)
1457 struct ibmvfc_cmd *vfc_cmd = &evt->xfer_iu->cmd; 1457 struct ibmvfc_cmd *vfc_cmd = &evt->xfer_iu->cmd;
1458 struct ibmvfc_fcp_rsp *rsp = &vfc_cmd->rsp; 1458 struct ibmvfc_fcp_rsp *rsp = &vfc_cmd->rsp;
1459 struct scsi_cmnd *cmnd = evt->cmnd; 1459 struct scsi_cmnd *cmnd = evt->cmnd;
1460 int rsp_len = 0; 1460 u32 rsp_len = 0;
1461 int sense_len = rsp->fcp_sense_len; 1461 u32 sense_len = rsp->fcp_sense_len;
1462 1462
1463 if (cmnd) { 1463 if (cmnd) {
1464 if (vfc_cmd->response_flags & IBMVFC_ADAPTER_RESID_VALID) 1464 if (vfc_cmd->response_flags & IBMVFC_ADAPTER_RESID_VALID)
@@ -1475,7 +1475,7 @@ static void ibmvfc_scsi_done(struct ibmvfc_event *evt)
1475 rsp_len = rsp->fcp_rsp_len; 1475 rsp_len = rsp->fcp_rsp_len;
1476 if ((sense_len + rsp_len) > SCSI_SENSE_BUFFERSIZE) 1476 if ((sense_len + rsp_len) > SCSI_SENSE_BUFFERSIZE)
1477 sense_len = SCSI_SENSE_BUFFERSIZE - rsp_len; 1477 sense_len = SCSI_SENSE_BUFFERSIZE - rsp_len;
1478 if ((rsp->flags & FCP_SNS_LEN_VALID) && rsp->fcp_sense_len) 1478 if ((rsp->flags & FCP_SNS_LEN_VALID) && rsp->fcp_sense_len && rsp_len <= 8)
1479 memcpy(cmnd->sense_buffer, rsp->data.sense + rsp_len, sense_len); 1479 memcpy(cmnd->sense_buffer, rsp->data.sense + rsp_len, sense_len);
1480 1480
1481 ibmvfc_log_error(evt); 1481 ibmvfc_log_error(evt);