iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

scsi: aacraid: Fix out of bounds in aac_get_name_resp

Browse Source 
We terminate the aac_get_name_resp on a byte that is outside the bounds
of the structure. Extend the return response by one byte to remove the
out of bounds reference.

Fixes: b836439faf04 ("aacraid: 4KB sector support")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David Carroll <david.carroll@microsemi.com>
Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
This commit is contained in:
Raghava Aditya Renukunta 2017-08-04 03:51:41 -07:00 committed by Martin K. Petersen
parent 82f0fd06d4
commit c802673249
2 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
drivers/scsi/aacraid/aachba.c
View File

@ -549,7 +549,9 @@ static void get_container_name_callback(void *context, struct fib * fibptr)
if ((le32_to_cpu(get_name_reply->status) == CT_OK) if ((le32_to_cpu(get_name_reply->status) == CT_OK)
&& (get_name_reply->data[0] != '\0')) { && (get_name_reply->data[0] != '\0')) {
char *sp = get_name_reply->data; char *sp = get_name_reply->data;
sp[sizeof(((struct aac_get_name_resp *)NULL)->data)] = '\0'; int data_size = FIELD_SIZEOF(struct aac_get_name_resp, data);
sp[data_size - 1] = '\0';
while (*sp == ' ') while (*sp == ' ')
++sp; ++sp;
if (*sp) { if (*sp) {
@ -579,12 +581,15 @@ static void get_container_name_callback(void *context, struct fib * fibptr)
static int aac_get_container_name(struct scsi_cmnd * scsicmd) static int aac_get_container_name(struct scsi_cmnd * scsicmd)
{ {
int status; int status;
int data_size;
struct aac_get_name *dinfo; struct aac_get_name *dinfo;
struct fib * cmd_fibcontext; struct fib * cmd_fibcontext;
struct aac_dev * dev; struct aac_dev * dev;
dev = (struct aac_dev *)scsicmd->device->host->hostdata; dev = (struct aac_dev *)scsicmd->device->host->hostdata;
data_size = FIELD_SIZEOF(struct aac_get_name_resp, data);
cmd_fibcontext = aac_fib_alloc_tag(dev, scsicmd); cmd_fibcontext = aac_fib_alloc_tag(dev, scsicmd);
aac_fib_init(cmd_fibcontext); aac_fib_init(cmd_fibcontext);
@ -593,7 +598,7 @@ static int aac_get_container_name(struct scsi_cmnd * scsicmd)
dinfo->command = cpu_to_le32(VM_ContainerConfig); dinfo->command = cpu_to_le32(VM_ContainerConfig);
dinfo->type = cpu_to_le32(CT_READ_NAME); dinfo->type = cpu_to_le32(CT_READ_NAME);
dinfo->cid = cpu_to_le32(scmd_id(scsicmd)); dinfo->cid = cpu_to_le32(scmd_id(scsicmd));
dinfo->count = cpu_to_le32(sizeof(((struct aac_get_name_resp *)NULL)->data)); dinfo->count = cpu_to_le32(data_size - 1);
status = aac_fib_send(ContainerCommand, status = aac_fib_send(ContainerCommand,
cmd_fibcontext, cmd_fibcontext,

2
drivers/scsi/aacraid/aacraid.h
View File

@ -2274,7 +2274,7 @@ struct aac_get_name_resp {
__le32 parm3; __le32 parm3;
__le32 parm4; __le32 parm4;
__le32 parm5; __le32 parm5;
u8 data[16]; u8 data[17];
}; };
#define CT_CID_TO_32BITS_UID 165 #define CT_CID_TO_32BITS_UID 165