From patchwork Fri Mar 24 08:41:47 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jitendra Bhivare <jitendra.bhivare@broadcom.com>
X-Patchwork-Id: 9642395
Return-Path: <linux-scsi-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	571B760327 for <patchwork-linux-scsi@patchwork.kernel.org>;
	Fri, 24 Mar 2017 08:42:42 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5142D212E8
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Fri, 24 Mar 2017 08:42:42 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 4486D27F9F; Fri, 24 Mar 2017 08:42:42 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_HI,
	RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E607028339
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Fri, 24 Mar 2017 08:42:41 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756575AbdCXIml (ORCPT
	<rfc822;patchwork-linux-scsi@patchwork.kernel.org>);
	Fri, 24 Mar 2017 04:42:41 -0400
Received: from mail-qt0-f172.google.com ([209.85.216.172]:34530 "EHLO
	mail-qt0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754953AbdCXImc (ORCPT
	<rfc822; linux-scsi@vger.kernel.org>); Fri, 24 Mar 2017 04:42:32 -0400
Received: by mail-qt0-f172.google.com with SMTP id n21so5450419qta.1
	for <linux-scsi@vger.kernel.org>;
	Fri, 24 Mar 2017 01:42:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=broadcom.com; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=qJQlQLXKchfFJdXUMUcleAz33PqdVFt8meM3weQKJhg=;
	b=FzNOgTtsCZswGeTyEb92m8teLo+iJHBPqL1uIsClHDkDU5bXdi3bLwo/3ZArElj1cm
	ehcf4OC4aOVom+aGA7o+jgZFb/ldaglVv0bnoC/vSdqyvuE/uMrDp8XTBDGi3jgt12pp
	izNgp94NRA9Ll/6CetJios8YGRTqkhEK1tpSI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=qJQlQLXKchfFJdXUMUcleAz33PqdVFt8meM3weQKJhg=;
	b=hU6I7uhH7vYGyCTD1RsY9gnsztYkqpOV7CfmKBf42eiUIGcIjC78fhhv2jj6KWPNKR
	ZbrynXj1twrCaqoH1Mglh5jFaasHGMfF7liahBN+iZj+cuyI061aST3F8HpSJS9wEiig
	atnlDxhlRhHZ7q/eOQrIJIWSuORdzWtC+beFh8e5/UbwS8mE5Gyz5QRQJMwLTD1h1HOf
	kWVQCv/A0abbsC8GuXNuLRiasZ5RmJ3YT4HfOGndxBgw3YLDoDnD6It5pnR4j1Rg6js1
	8OYaTnqA4hMhHQGLL/JeF/XrXzMkHugIQI4cT2+YSYURsuMYX9lInuaqPRrZcqtA8lH4
	A6cA==
X-Gm-Message-State: 
 AFeK/H1Pjo3AyEGumclriob+ki2YZHAuix77r+Wojcwm1fyPZ51AGkt5dwvJICHtjdlf4PPL
X-Received: by 10.200.37.199 with SMTP id f7mr6942467qtf.147.1490344950819;
	Fri, 24 Mar 2017 01:42:30 -0700 (PDT)
Received: from android.lvn.broadcom.net ([192.19.239.250])
	by smtp.gmail.com with ESMTPSA id
	n21sm1080395qkh.16.2017.03.24.01.42.27
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Fri, 24 Mar 2017 01:42:29 -0700 (PDT)
From: Jitendra Bhivare <jitendra.bhivare@broadcom.com>
To: thenzl@redhat.com, cleech@redhat.com, lduncan@suse.com
Cc: linux-scsi@vger.kernel.org,
	Jitendra Bhivare <jitendra.bhivare@broadcom.com>
Subject: [PATCH v3 08/10] be2iscsi: Check size before copying ASYNC handle
Date: Fri, 24 Mar 2017 14:11:47 +0530
Message-Id: <1490344909-29541-9-git-send-email-jitendra.bhivare@broadcom.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1490344909-29541-1-git-send-email-jitendra.bhivare@broadcom.com>
References: <1490344909-29541-1-git-send-email-jitendra.bhivare@broadcom.com>
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Data in buffers are gathered into a single buffer before giving to
iSCSI layer. Though less likely to have payload more than 8K in
ASYNC PDU, the data length is provide by FW and check is missing
for overrun.

Signed-off-by: Jitendra Bhivare <jitendra.bhivare@broadcom.com>
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
---
 drivers/scsi/be2iscsi/be_main.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c
index ee1f1c4..4b668c4 100644
--- a/drivers/scsi/be2iscsi/be_main.c
+++ b/drivers/scsi/be2iscsi/be_main.c
@@ -1611,6 +1611,10 @@ beiscsi_hdl_fwd_pdu(struct beiscsi_conn *beiscsi_conn,
 			dlen = pasync_handle->buffer_len;
 			continue;
 		}
+		if (!pasync_handle->buffer_len ||
+		    (dlen + pasync_handle->buffer_len) >
+		    pasync_ctx->async_data.buffer_size)
+			break;
 		memcpy(pdata + dlen, pasync_handle->pbuffer,
 		       pasync_handle->buffer_len);
 		dlen += pasync_handle->buffer_len;
@@ -1619,8 +1623,9 @@ beiscsi_hdl_fwd_pdu(struct beiscsi_conn *beiscsi_conn,
 	if (!plast_handle->is_final) {
 		/* last handle should have final PDU notification from FW */
 		beiscsi_log(phba, KERN_ERR, BEISCSI_LOG_ISCSI,
-			    "BM_%d : cid %u %p fwd async PDU with last handle missing - HL%u:DN%u:DR%u\n",
+			    "BM_%d : cid %u %p fwd async PDU opcode %x with last handle missing - HL%u:DN%u:DR%u\n",
 			    beiscsi_conn->beiscsi_conn_cid, plast_handle,
+			    AMAP_GET_BITS(struct amap_pdu_base, opcode, phdr),
 			    pasync_ctx->async_entry[cri].wq.hdr_len,
 			    pasync_ctx->async_entry[cri].wq.bytes_needed,
 			    pasync_ctx->async_entry[cri].wq.bytes_received);