iscsi-target: fix extract_param to handle buffer length corner case commit 369653e4fb511928511b0ce81f41c812ff1f28b6 upstream. extract_param() is called with max_length set to the total size of the output buffer. It's not safe to allow a parameter length equal to the buffer size as the terminating null would be written one byte past the end of the output buffer. Signed-off-by: Eric Seppanen <eric@purestorage.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit: 4af7d07baa43d99a8b94f60e44bf62085587099d [log] [tgz]
author: Eric Seppanen <eric@purestorage.com> Wed Nov 20 14:19:51 2013 -0800
committer: chrmhoffmann <chrmhoffmann@gmail.com> Sun Apr 05 10:19:07 2020 +0200
tree: 3580949b4714d3756e1f6c96ae8206fe66703f20
parent: 8d32fe763682afbffd3b79f2e3df290c3c41f3e9 [diff]
diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c
index 2dba448..60470ee 100644
--- a/drivers/target/iscsi/iscsi_target_nego.c
+++ b/drivers/target/iscsi/iscsi_target_nego.c

@@ -89,7 +89,7 @@
 	if (len < 0)
 		return -1;
 
-	if (len > max_length) {
+	if (len >= max_length) {
 		pr_err("Length of input: %d exceeds max_length:"
 			" %d\n", len, max_length);
 		return -1;
commit	4af7d07baa43d99a8b94f60e44bf62085587099d	[log] [tgz]
author	Eric Seppanen <eric@purestorage.com>	Wed Nov 20 14:19:51 2013 -0800
committer	chrmhoffmann <chrmhoffmann@gmail.com>	Sun Apr 05 10:19:07 2020 +0200
tree	3580949b4714d3756e1f6c96ae8206fe66703f20
parent	8d32fe763682afbffd3b79f2e3df290c3c41f3e9 [diff]