When processing received frames, various checks should be issued to make sure that the info carried is correct.
Here check for fcp_resp_rsp_info is added, or mm overflow could happen. Computation for respl is also added, which looks like a beetle, but I am not sure. Signed-off-by: Hillf Danton <[email protected]> --- --- a/drivers/scsi/libfc/fc_fcp.c 2010-11-01 19:54:12.000000000 +0800 +++ b/drivers/scsi/libfc/fc_fcp.c 2010-12-03 21:53:48.000000000 +0800 @@ -845,8 +845,12 @@ static void fc_fcp_resp(struct fc_fcp_pk } if (flags & FCP_SNS_LEN_VAL) { snsl = ntohl(rp_ex->fr_sns_len); + respl = ntohl(rp_ex->fr_rsp_len); if (snsl > SCSI_SENSE_BUFFERSIZE) snsl = SCSI_SENSE_BUFFERSIZE; + if (plen < sizeof(*fc_rp) + sizeof(*rp_ex) + + respl + snsl); + goto len_err; memcpy(fsp->cmd->sense_buffer, (char *)fc_rp_info + respl, snsl); } _______________________________________________ devel mailing list [email protected] http://www.open-fcoe.org/mailman/listinfo/devel
