diff options
-rw-r--r-- | drivers/scsi/fcoe/libfcoe.c | 31 |
1 files changed, 28 insertions, 3 deletions
diff --git a/drivers/scsi/fcoe/libfcoe.c b/drivers/scsi/fcoe/libfcoe.c index ce651ca2a4bc..f009191063f1 100644 --- a/drivers/scsi/fcoe/libfcoe.c +++ b/drivers/scsi/fcoe/libfcoe.c | |||
@@ -871,7 +871,8 @@ static void fcoe_ctlr_recv_els(struct fcoe_ctlr *fip, struct sk_buff *skb) | |||
871 | size_t els_len = 0; | 871 | size_t els_len = 0; |
872 | size_t rlen; | 872 | size_t rlen; |
873 | size_t dlen; | 873 | size_t dlen; |
874 | u32 dupl_desc = 0; | 874 | u32 desc_mask = 0; |
875 | u32 desc_cnt = 0; | ||
875 | 876 | ||
876 | fiph = (struct fip_header *)skb->data; | 877 | fiph = (struct fip_header *)skb->data; |
877 | sub = fiph->fip_subcode; | 878 | sub = fiph->fip_subcode; |
@@ -884,20 +885,27 @@ static void fcoe_ctlr_recv_els(struct fcoe_ctlr *fip, struct sk_buff *skb) | |||
884 | 885 | ||
885 | desc = (struct fip_desc *)(fiph + 1); | 886 | desc = (struct fip_desc *)(fiph + 1); |
886 | while (rlen > 0) { | 887 | while (rlen > 0) { |
888 | desc_cnt++; | ||
887 | dlen = desc->fip_dlen * FIP_BPW; | 889 | dlen = desc->fip_dlen * FIP_BPW; |
888 | if (dlen < sizeof(*desc) || dlen > rlen) | 890 | if (dlen < sizeof(*desc) || dlen > rlen) |
889 | goto drop; | 891 | goto drop; |
890 | /* Drop ELS if there are duplicate critical descriptors */ | 892 | /* Drop ELS if there are duplicate critical descriptors */ |
891 | if (desc->fip_dtype < 32) { | 893 | if (desc->fip_dtype < 32) { |
892 | if (dupl_desc & 1U << desc->fip_dtype) { | 894 | if (desc_mask & 1U << desc->fip_dtype) { |
893 | LIBFCOE_FIP_DBG(fip, "Duplicate Critical " | 895 | LIBFCOE_FIP_DBG(fip, "Duplicate Critical " |
894 | "Descriptors in FIP ELS\n"); | 896 | "Descriptors in FIP ELS\n"); |
895 | goto drop; | 897 | goto drop; |
896 | } | 898 | } |
897 | dupl_desc |= (1 << desc->fip_dtype); | 899 | desc_mask |= (1 << desc->fip_dtype); |
898 | } | 900 | } |
899 | switch (desc->fip_dtype) { | 901 | switch (desc->fip_dtype) { |
900 | case FIP_DT_MAC: | 902 | case FIP_DT_MAC: |
903 | if (desc_cnt == 1) { | ||
904 | LIBFCOE_FIP_DBG(fip, "FIP descriptors " | ||
905 | "received out of order\n"); | ||
906 | goto drop; | ||
907 | } | ||
908 | |||
901 | if (dlen != sizeof(struct fip_mac_desc)) | 909 | if (dlen != sizeof(struct fip_mac_desc)) |
902 | goto len_err; | 910 | goto len_err; |
903 | memcpy(granted_mac, | 911 | memcpy(granted_mac, |
@@ -914,6 +922,11 @@ static void fcoe_ctlr_recv_els(struct fcoe_ctlr *fip, struct sk_buff *skb) | |||
914 | case FIP_DT_FDISC: | 922 | case FIP_DT_FDISC: |
915 | case FIP_DT_LOGO: | 923 | case FIP_DT_LOGO: |
916 | case FIP_DT_ELP: | 924 | case FIP_DT_ELP: |
925 | if (desc_cnt != 1) { | ||
926 | LIBFCOE_FIP_DBG(fip, "FIP descriptors " | ||
927 | "received out of order\n"); | ||
928 | goto drop; | ||
929 | } | ||
917 | if (fh) | 930 | if (fh) |
918 | goto drop; | 931 | goto drop; |
919 | if (dlen < sizeof(*els) + sizeof(*fh) + 1) | 932 | if (dlen < sizeof(*els) + sizeof(*fh) + 1) |
@@ -929,6 +942,11 @@ static void fcoe_ctlr_recv_els(struct fcoe_ctlr *fip, struct sk_buff *skb) | |||
929 | /* standard says ignore unknown descriptors >= 128 */ | 942 | /* standard says ignore unknown descriptors >= 128 */ |
930 | if (desc->fip_dtype < FIP_DT_VENDOR_BASE) | 943 | if (desc->fip_dtype < FIP_DT_VENDOR_BASE) |
931 | goto drop; | 944 | goto drop; |
945 | if (desc_cnt <= 2) { | ||
946 | LIBFCOE_FIP_DBG(fip, "FIP descriptors " | ||
947 | "received out of order\n"); | ||
948 | goto drop; | ||
949 | } | ||
932 | break; | 950 | break; |
933 | } | 951 | } |
934 | desc = (struct fip_desc *)((char *)desc + dlen); | 952 | desc = (struct fip_desc *)((char *)desc + dlen); |
@@ -944,6 +962,13 @@ static void fcoe_ctlr_recv_els(struct fcoe_ctlr *fip, struct sk_buff *skb) | |||
944 | els_op == ELS_LS_ACC && is_valid_ether_addr(granted_mac)) | 962 | els_op == ELS_LS_ACC && is_valid_ether_addr(granted_mac)) |
945 | fip->flogi_oxid = FC_XID_UNKNOWN; | 963 | fip->flogi_oxid = FC_XID_UNKNOWN; |
946 | 964 | ||
965 | if ((desc_cnt == 0) || ((els_op != ELS_LS_RJT) && | ||
966 | (!(1U << FIP_DT_MAC & desc_mask)))) { | ||
967 | LIBFCOE_FIP_DBG(fip, "Missing critical descriptors " | ||
968 | "in FIP ELS\n"); | ||
969 | goto drop; | ||
970 | } | ||
971 | |||
947 | /* | 972 | /* |
948 | * Convert skb into an fc_frame containing only the ELS. | 973 | * Convert skb into an fc_frame containing only the ELS. |
949 | */ | 974 | */ |