diff options
author | Roland Dreier <roland@purestorage.com> | 2012-07-17 00:34:25 +0200 |
---|---|---|
committer | Nicholas Bellinger <nab@linux-iscsi.org> | 2012-07-17 02:35:36 +0200 |
commit | 7409a6657aebf8be74c21d0eded80709b27275cb (patch) | |
tree | c9d79256c4d892a6816e39715016da3d777133f9 | |
parent | target: Fix possible integer underflow in UNMAP emulation (diff) | |
download | linux-7409a6657aebf8be74c21d0eded80709b27275cb.tar.xz linux-7409a6657aebf8be74c21d0eded80709b27275cb.zip |
target: Check number of unmap descriptors against our limit
Fail UNMAP commands that have more than our reported limit on unmap
descriptors.
Signed-off-by: Roland Dreier <roland@purestorage.com>
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
-rw-r--r-- | drivers/target/target_core_iblock.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/target/target_core_iblock.c b/drivers/target/target_core_iblock.c index 2efd70ca0b1d..76db75e836ed 100644 --- a/drivers/target/target_core_iblock.c +++ b/drivers/target/target_core_iblock.c @@ -336,6 +336,11 @@ static int iblock_execute_unmap(struct se_cmd *cmd) bd_dl = get_unaligned_be16(&buf[2]); size = min(size - 8, bd_dl); + if (size / 16 > dev->se_sub_dev->se_dev_attrib.max_unmap_block_desc_count) { + cmd->scsi_sense_reason = TCM_INVALID_PARAMETER_LIST; + ret = -EINVAL; + goto err; + } /* First UNMAP block descriptor starts at 8 byte offset */ ptr = &buf[8]; |