diff options
author | Joe Eykholt <jeykholt@cisco.com> | 2009-11-03 20:48:55 +0100 |
---|---|---|
committer | James Bottomley <James.Bottomley@suse.de> | 2009-12-04 19:01:16 +0100 |
commit | 5f9a056db9c7973c46337ec8d034323aa72bf206 (patch) | |
tree | 2b61b80ddfcd82fc415856306b791b870e3544d2 | |
parent | [SCSI] libfc: fix RNN_ID smashing skb payload (diff) | |
download | linux-5f9a056db9c7973c46337ec8d034323aa72bf206.tar.xz linux-5f9a056db9c7973c46337ec8d034323aa72bf206.zip |
[SCSI] libfc: fix symbolic name registrations smashing skb data
The strncpy for RSPN_ID and RSNN_NN requests was padding
past the allocated frame size.
Get the string length before filling in the ct header.
Signed-off-by: Joe Eykholt <jeykholt@cisco.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
-rw-r--r-- | include/scsi/fc_encode.h | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/include/scsi/fc_encode.h b/include/scsi/fc_encode.h index c8968d31c610..ab2260cb149c 100644 --- a/include/scsi/fc_encode.h +++ b/include/scsi/fc_encode.h @@ -111,6 +111,7 @@ static inline int fc_ct_fill(struct fc_lport *lport, enum fc_fh_type *fh_type) { struct fc_ct_req *ct; + size_t len; switch (op) { case FC_NS_GPN_FT: @@ -138,22 +139,22 @@ static inline int fc_ct_fill(struct fc_lport *lport, break; case FC_NS_RSPN_ID: - ct = fc_ct_hdr_fill(fp, op, sizeof(struct fc_ns_rspn)); + len = strnlen(fc_host_symbolic_name(lport->host), 255); + ct = fc_ct_hdr_fill(fp, op, sizeof(struct fc_ns_rspn) + len); hton24(ct->payload.spn.fr_fid.fp_fid, fc_host_port_id(lport->host)); strncpy(ct->payload.spn.fr_name, - fc_host_symbolic_name(lport->host), 255); - ct->payload.spn.fr_name_len = - strnlen(ct->payload.spn.fr_name, 255); + fc_host_symbolic_name(lport->host), len); + ct->payload.spn.fr_name_len = len; break; case FC_NS_RSNN_NN: - ct = fc_ct_hdr_fill(fp, op, sizeof(struct fc_ns_rsnn)); + len = strnlen(fc_host_symbolic_name(lport->host), 255); + ct = fc_ct_hdr_fill(fp, op, sizeof(struct fc_ns_rsnn) + len); put_unaligned_be64(lport->wwnn, &ct->payload.snn.fr_wwn); strncpy(ct->payload.snn.fr_name, - fc_host_symbolic_name(lport->host), 255); - ct->payload.snn.fr_name_len = - strnlen(ct->payload.snn.fr_name, 255); + fc_host_symbolic_name(lport->host), len); + ct->payload.snn.fr_name_len = len; break; default: |