aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNicholas Bellinger <nab@linux-iscsi.org>2011-10-18 23:48:04 -0700
committerGreg Kroah-Hartman <gregkh@suse.de>2011-11-11 09:35:26 -0800
commitf2c1c3233aa7b1742c458b1eed929d675222e70c (patch)
treee340d5df0545bb166f02d2275f9bc291125b7d91
parent133615a7e293f3628c6f7860a41b9d7964d15a60 (diff)
downloadkernel_samsung_tuna-f2c1c3233aa7b1742c458b1eed929d675222e70c.zip
kernel_samsung_tuna-f2c1c3233aa7b1742c458b1eed929d675222e70c.tar.gz
kernel_samsung_tuna-f2c1c3233aa7b1742c458b1eed929d675222e70c.tar.bz2
target: Fix REPORT TARGET PORT GROUPS handling with small allocation length
commit 6b20fa9aaf0c2f69ee6f9648e20ab2be0206705e upstream. This patch fixes a bug with the handling of REPORT TARGET PORT GROUPS containing a smaller allocation length than the payload requires causing memory writes beyond the end of the buffer. This patch checks for the minimum 4 byte length for the response payload length, and also checks upon each loop of T10_ALUA(su_dev)->tg_pt_gps_list to ensure the Target port group and Target port descriptor list is able to fit into the remaining allocation length. If the response payload exceeds the allocation length length, then rd_len is still increments to indicate to the initiator that the payload has been truncated. Reported-by: Roland Dreier <roland@purestorage.com> Signed-off-by: Nicholas Bellinger <nab@risingtidesystems.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--drivers/target/target_core_alua.c20
1 files changed, 20 insertions, 0 deletions
diff --git a/drivers/target/target_core_alua.c b/drivers/target/target_core_alua.c
index 47abb42..86b3660 100644
--- a/drivers/target/target_core_alua.c
+++ b/drivers/target/target_core_alua.c
@@ -60,11 +60,31 @@ int core_emulate_report_target_port_groups(struct se_cmd *cmd)
unsigned char *buf = (unsigned char *)T_TASK(cmd)->t_task_buf;
u32 rd_len = 0, off = 4; /* Skip over RESERVED area to first
Target port group descriptor */
+ /*
+ * Need at least 4 bytes of response data or else we can't
+ * even fit the return data length.
+ */
+ if (cmd->data_length < 4) {
+ pr_warn("REPORT TARGET PORT GROUPS allocation length %u"
+ " too small\n", cmd->data_length);
+ return -EINVAL;
+ }
spin_lock(&T10_ALUA(su_dev)->tg_pt_gps_lock);
list_for_each_entry(tg_pt_gp, &T10_ALUA(su_dev)->tg_pt_gps_list,
tg_pt_gp_list) {
/*
+ * Check if the Target port group and Target port descriptor list
+ * based on tg_pt_gp_members count will fit into the response payload.
+ * Otherwise, bump rd_len to let the initiator know we have exceeded
+ * the allocation length and the response is truncated.
+ */
+ if ((off + 8 + (tg_pt_gp->tg_pt_gp_members * 4)) >
+ cmd->data_length) {
+ rd_len += 8 + (tg_pt_gp->tg_pt_gp_members * 4);
+ continue;
+ }
+ /*
* PREF: Preferred target port bit, determine if this
* bit should be set for port group.
*/