From patchwork Tue Mar 14 08:01:33 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jitendra Bhivare X-Patchwork-Id: 9622661 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 2181060244 for ; Tue, 14 Mar 2017 08:02:25 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 10CAE2808F for ; Tue, 14 Mar 2017 08:02:25 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 05B192811C; Tue, 14 Mar 2017 08:02:25 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DE5332808F for ; Tue, 14 Mar 2017 08:02:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750992AbdCNICY (ORCPT ); Tue, 14 Mar 2017 04:02:24 -0400 Received: from mail-wm0-f47.google.com ([74.125.82.47]:35517 "EHLO mail-wm0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750984AbdCNICW (ORCPT ); Tue, 14 Mar 2017 04:02:22 -0400 Received: by mail-wm0-f47.google.com with SMTP id v186so57340229wmd.0 for ; Tue, 14 Mar 2017 01:02:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=qJQlQLXKchfFJdXUMUcleAz33PqdVFt8meM3weQKJhg=; b=Kw6Z80HsksxiIQ+BzwhWPiUQ8EBQ9tuysbv2fpmMlcp3U0jRiEYtrbgnutypwu8kGb bwre/sf2I4Gi85yUtYu1WwAEFMNIt2jji0BkLlbZnIAAy7XxhlMa8bQ/V8YG08RvyC+0 LBvoXQGt2MpmIVCJQ7ZrdFew+cLcZXagmOfhw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=qJQlQLXKchfFJdXUMUcleAz33PqdVFt8meM3weQKJhg=; b=LcZ8tnGZwWhKv2wlhBLan7AkkdBrK3e/OegyFfD8qNZDjSY9/Bz1B/Gg6bCUA1V9LB Skq6h8MscNrtpbxfPiRrvZEhHaAYHXswI8I94kzf/xJdSZ+zzRlsKXlMAZuxqaCEuDEA pUfEZU4KWbnH/lRN5EAiFhTHaV+nZ5g/SKeB7epccrX71f7L9gS7SkujkZM/lWzk+Iyf yBLRSn3JLk4UEHqAQfXsOFbcnKiI+UGzYy3w1FP9UgYiT4tHgKYqZK2GZNmAG7JupZQA O05xABw9zscV60i9Spi+WwV5yb3KtBBa8sNNepmnmntv+X4NbK6Ojv2B4Fc63+m2J63Z 2Qow== X-Gm-Message-State: AFeK/H3ry260JAmB1VQ57++XdEKZvNg9mvmplX7EPvVcCzXIQlMAbSwWXvCo3ZMn0pJZhE/u X-Received: by 10.28.194.7 with SMTP id s7mr12847517wmf.34.1489478540748; Tue, 14 Mar 2017 01:02:20 -0700 (PDT) Received: from android.dhcp.avagotech.net ([192.19.239.250]) by smtp.gmail.com with ESMTPSA id 63sm28112281wrh.68.2017.03.14.01.02.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 14 Mar 2017 01:02:19 -0700 (PDT) From: Jitendra Bhivare To: cleech@redhat.com, lduncan@suse.com Cc: linux-scsi@vger.kernel.org, Jitendra Bhivare Subject: [PATCH 8/9] be2iscsi: Check size before copying ASYNC handle Date: Tue, 14 Mar 2017 13:31:33 +0530 Message-Id: <1489478494-5432-9-git-send-email-jitendra.bhivare@broadcom.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1489478494-5432-1-git-send-email-jitendra.bhivare@broadcom.com> References: <1489478494-5432-1-git-send-email-jitendra.bhivare@broadcom.com> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Data in buffers are gathered into a single buffer before giving to iSCSI layer. Though less likely to have payload more than 8K in ASYNC PDU, the data length is provide by FW and check is missing for overrun. Signed-off-by: Jitendra Bhivare --- drivers/scsi/be2iscsi/be_main.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c index ee1f1c4..4b668c4 100644 --- a/drivers/scsi/be2iscsi/be_main.c +++ b/drivers/scsi/be2iscsi/be_main.c @@ -1611,6 +1611,10 @@ beiscsi_hdl_fwd_pdu(struct beiscsi_conn *beiscsi_conn, dlen = pasync_handle->buffer_len; continue; } + if (!pasync_handle->buffer_len || + (dlen + pasync_handle->buffer_len) > + pasync_ctx->async_data.buffer_size) + break; memcpy(pdata + dlen, pasync_handle->pbuffer, pasync_handle->buffer_len); dlen += pasync_handle->buffer_len; @@ -1619,8 +1623,9 @@ beiscsi_hdl_fwd_pdu(struct beiscsi_conn *beiscsi_conn, if (!plast_handle->is_final) { /* last handle should have final PDU notification from FW */ beiscsi_log(phba, KERN_ERR, BEISCSI_LOG_ISCSI, - "BM_%d : cid %u %p fwd async PDU with last handle missing - HL%u:DN%u:DR%u\n", + "BM_%d : cid %u %p fwd async PDU opcode %x with last handle missing - HL%u:DN%u:DR%u\n", beiscsi_conn->beiscsi_conn_cid, plast_handle, + AMAP_GET_BITS(struct amap_pdu_base, opcode, phdr), pasync_ctx->async_entry[cri].wq.hdr_len, pasync_ctx->async_entry[cri].wq.bytes_needed, pasync_ctx->async_entry[cri].wq.bytes_received);