qla2xxx: Terminate exchange if corrupted

Corrupted ATIO is defined as length of fcp_header & fcp_cmd payload is less than 0x38. It's the minimum size for a frame to carry 8..16 bytes SCSI CDB. The exchange will be dropped or terminated if corrupted. Signed-off-by: Quinn Tran <quinn.tran@cavium.com> Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com> Reviewed-by: Christoph Hellwig <hch@lst.de> [ bvanassche: Fixed spelling in patch title ] Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
author: Quinn Tran <quinn.tran@cavium.com> 2016-12-24 03:06:11 +0100
committer: Bart Van Assche <bart.vanassche@sandisk.com> 2017-01-17 20:26:56 +0100
commit: 5f35509db179ca7ed1feaa4b14f841adb06ed220 (patch)
tree: f5b4e6bc95ec09eed327291db14d45217ebb6e33 /drivers/scsi/qla2xxx/qla_def.h
parent: qla2xxx: Fix crash due to null pointer access (diff)
download: linux-5f35509db179ca7ed1feaa4b14f841adb06ed220.tar.xz
linux-5f35509db179ca7ed1feaa4b14f841adb06ed220.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
index f7df01b76714..1f7c6d2c736d 100644
--- a/drivers/scsi/qla2xxx/qla_def.h
+++ b/drivers/scsi/qla2xxx/qla_def.h
@@ -1556,7 +1556,8 @@ typedef struct {
 struct atio {
 	uint8_t		entry_type;		/* Entry type. */
 	uint8_t		entry_count;		/* Entry count. */
-	uint8_t		data[58];
+	__le16		attr_n_length;
+	uint8_t		data[56];
 	uint32_t	signature;
 #define ATIO_PROCESSED 0xDEADDEAD		/* Signature */
 };
author	Quinn Tran <quinn.tran@cavium.com>	2016-12-24 03:06:11 +0100
committer	Bart Van Assche <bart.vanassche@sandisk.com>	2017-01-17 20:26:56 +0100
commit	5f35509db179ca7ed1feaa4b14f841adb06ed220 (patch)
tree	f5b4e6bc95ec09eed327291db14d45217ebb6e33 /drivers/scsi/qla2xxx/qla_def.h
parent	qla2xxx: Fix crash due to null pointer access (diff)
download	linux-5f35509db179ca7ed1feaa4b14f841adb06ed220.tar.xz linux-5f35509db179ca7ed1feaa4b14f841adb06ed220.zip