Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / f2c1c3233aa7b1742c458b1eed929d675222e70c
commitf2c1c3233aa7b1742c458b1eed929d675222e70c[log] [tgz]
authorNicholas Bellinger <nab@linux-iscsi.org>Tue Oct 18 23:48:04 2011 -0700
committerGreg Kroah-Hartman <gregkh@suse.de>Fri Nov 11 09:35:26 2011 -0800
treee340d5df0545bb166f02d2275f9bc291125b7d91
parent133615a7e293f3628c6f7860a41b9d7964d15a60 [diff]
target: Fix REPORT TARGET PORT GROUPS handling with small allocation length

commit 6b20fa9aaf0c2f69ee6f9648e20ab2be0206705e upstream.

This patch fixes a bug with the handling of REPORT TARGET PORT GROUPS
containing a smaller allocation length than the payload requires causing
memory writes beyond the end of the buffer.  This patch checks for the
minimum 4 byte length for the response payload length, and also checks
upon each loop of T10_ALUA(su_dev)->tg_pt_gps_list to ensure the Target
port group and Target port descriptor list is able to fit into the
remaining allocation length.

If the response payload exceeds the allocation length length, then rd_len
is still increments to indicate to the initiator that the payload has
been truncated.

Reported-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@risingtidesystems.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
1 file changed
tree: e340d5df0545bb166f02d2275f9bc291125b7d91
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS