From patchwork Thu Mar 16 03:24:43 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jitendra Bhivare <jitendra.bhivare@broadcom.com>
X-Patchwork-Id: 9627043
Return-Path: <linux-scsi-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	9252E60244 for <patchwork-linux-scsi@patchwork.kernel.org>;
	Thu, 16 Mar 2017 03:26:07 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 882D228604
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Thu, 16 Mar 2017 03:26:07 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 7D0F928637; Thu, 16 Mar 2017 03:26:07 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 24FAD28604
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Thu, 16 Mar 2017 03:26:07 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751389AbdCPD0G (ORCPT
	<rfc822;patchwork-linux-scsi@patchwork.kernel.org>);
	Wed, 15 Mar 2017 23:26:06 -0400
Received: from mail-wm0-f44.google.com ([74.125.82.44]:38748 "EHLO
	mail-wm0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751354AbdCPD0B (ORCPT
	<rfc822; linux-scsi@vger.kernel.org>); Wed, 15 Mar 2017 23:26:01 -0400
Received: by mail-wm0-f44.google.com with SMTP id t189so37336654wmt.1
	for <linux-scsi@vger.kernel.org>;
	Wed, 15 Mar 2017 20:25:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=broadcom.com; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=qJQlQLXKchfFJdXUMUcleAz33PqdVFt8meM3weQKJhg=;
	b=CjSj0e/EtFuxECiuFSARvUVqdCT1l1LF6ff6BHVuBRBIlEM/657/RXGslWk25mbT3j
	LMx6JUMsrBR0XomOHRY8VIK4OSiaA6SkvIN1brN6aE9bZwGbnpEYSS7YHNSCIYlFshzV
	8YuCxMes0bK/R7k1XgzSJdp5/r6UsgFP+9OhI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=qJQlQLXKchfFJdXUMUcleAz33PqdVFt8meM3weQKJhg=;
	b=BWFEOUo+9Eq1rBXk0b5Yw7p5dV1SU1Or14+9dEZpqSmYcAN/MVKfGEmdj4OilYCUC/
	8NHwmo6EFywmT9IDhLKbbzzADmMAuTl6aE81GdjO3V/I2c1UbmyyR6RFAnGG+nPLZdF5
	7t9od9YisbyE2+B2SpglGH6SEuB717ga/zwS8Y1UNlB6SL66+W35SBLFan2TVTn7aRth
	5+XkPI58X0W1nZY2Vj1Tm1LXUTD6jL5cq1xf0idFOt1wMKmTun2GZiDqyLe1UMKJDK8g
	1MJume4l4hwIQ8SZr6cDjJRNaZPfFEvm3zIuoIf46kF6zglGoFFGU/Ee1HsvpDA6tOJa
	rVBg==
X-Gm-Message-State: 
 AFeK/H0U71JSqhBPdtnzlkfFMfQ96rtupsGe64MeT03Ht4PPnG6GjqOMbeC7TijPtJd/P1be
X-Received: by 10.28.180.135 with SMTP id d129mr6852025wmf.135.1489634739087;
	Wed, 15 Mar 2017 20:25:39 -0700 (PDT)
Received: from android.dhcp.avagotech.net ([192.19.239.250])
	by smtp.gmail.com with ESMTPSA id
	l21sm4454655wrl.59.2017.03.15.20.25.35
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 15 Mar 2017 20:25:38 -0700 (PDT)
From: Jitendra Bhivare <jitendra.bhivare@broadcom.com>
To: cleech@redhat.com, lduncan@suse.com
Cc: linux-scsi@vger.kernel.org,
	Jitendra Bhivare <jitendra.bhivare@broadcom.com>
Subject: [PATCH v2 08/10] be2iscsi: Check size before copying ASYNC handle
Date: Thu, 16 Mar 2017 08:54:43 +0530
Message-Id: <1489634685-4975-9-git-send-email-jitendra.bhivare@broadcom.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1489634685-4975-1-git-send-email-jitendra.bhivare@broadcom.com>
References: <1489634685-4975-1-git-send-email-jitendra.bhivare@broadcom.com>
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Data in buffers are gathered into a single buffer before giving to
iSCSI layer. Though less likely to have payload more than 8K in
ASYNC PDU, the data length is provide by FW and check is missing
for overrun.

Signed-off-by: Jitendra Bhivare <jitendra.bhivare@broadcom.com>
---
 drivers/scsi/be2iscsi/be_main.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c
index ee1f1c4..4b668c4 100644
--- a/drivers/scsi/be2iscsi/be_main.c
+++ b/drivers/scsi/be2iscsi/be_main.c
@@ -1611,6 +1611,10 @@ beiscsi_hdl_fwd_pdu(struct beiscsi_conn *beiscsi_conn,
 			dlen = pasync_handle->buffer_len;
 			continue;
 		}
+		if (!pasync_handle->buffer_len ||
+		    (dlen + pasync_handle->buffer_len) >
+		    pasync_ctx->async_data.buffer_size)
+			break;
 		memcpy(pdata + dlen, pasync_handle->pbuffer,
 		       pasync_handle->buffer_len);
 		dlen += pasync_handle->buffer_len;
@@ -1619,8 +1623,9 @@ beiscsi_hdl_fwd_pdu(struct beiscsi_conn *beiscsi_conn,
 	if (!plast_handle->is_final) {
 		/* last handle should have final PDU notification from FW */
 		beiscsi_log(phba, KERN_ERR, BEISCSI_LOG_ISCSI,
-			    "BM_%d : cid %u %p fwd async PDU with last handle missing - HL%u:DN%u:DR%u\n",
+			    "BM_%d : cid %u %p fwd async PDU opcode %x with last handle missing - HL%u:DN%u:DR%u\n",
 			    beiscsi_conn->beiscsi_conn_cid, plast_handle,
+			    AMAP_GET_BITS(struct amap_pdu_base, opcode, phdr),
 			    pasync_ctx->async_entry[cri].wq.hdr_len,
 			    pasync_ctx->async_entry[cri].wq.bytes_needed,
 			    pasync_ctx->async_entry[cri].wq.bytes_received);