[PATCH 35/55] target: Fix off-by-seven in target_report_luns

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


From: Jörn Engel <joern@xxxxxxxxx>

cdb_offset is always equal to offset - 8, so remove that one.  More
importantly, the existing code only worked correct if
se_cmd->data_length is a multiple of 8.  Pass in a length of, say, 9 and
we will happily overwrite 7 bytes of "unallocated" memory.

Now, afaics this bug is currently harmless, as allocations will
implicitly be padded to multiples of 8 bytes.  But depending on such a
fact wouldn't qualify as sound engineering practice.

Signed-off-by: Joern Engel <joern@xxxxxxxxx>
Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
---
 drivers/target/target_core_device.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
index 36fa75d..5cfaa4b 100644
--- a/drivers/target/target_core_device.c
+++ b/drivers/target/target_core_device.c
@@ -650,7 +650,7 @@ int target_report_luns(struct se_task *se_task)
 	struct se_lun *se_lun;
 	struct se_session *se_sess = se_cmd->se_sess;
 	unsigned char *buf;
-	u32 cdb_offset = 0, lun_count = 0, offset = 8, i;
+	u32 lun_count = 0, offset = 8, i;
 
 	buf = transport_kmap_data_sg(se_cmd);
 	if (!buf)
@@ -679,12 +679,11 @@ int target_report_luns(struct se_task *se_task)
 		 * See SPC2-R20 7.19.
 		 */
 		lun_count++;
-		if ((cdb_offset + 8) >= se_cmd->data_length)
+		if ((offset + 8) > se_cmd->data_length)
 			continue;
 
 		int_to_scsilun(deve->mapped_lun, (struct scsi_lun *)&buf[offset]);
 		offset += 8;
-		cdb_offset += 8;
 	}
 	spin_unlock_irq(&se_sess->se_node_acl->device_list_lock);
 
-- 
1.7.2.5

--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Linux SCSI]     [Kernel Newbies]     [Linux SCSI Target Infrastructure]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Photos]     [Yosemite]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

Add to Google Powered by Linux