summaryrefslogtreecommitdiffstats
path: root/drivers/target
diff options
context:
space:
mode:
authorDavid Disseldorp <ddiss@suse.de>2016-12-23 11:37:56 +0100
committerBart Van Assche <bart.vanassche@sandisk.com>2017-01-10 17:41:04 +0100
commit7d38706669ce00603b187f667a4eb67c94eac098 (patch)
tree0c4d6bac992d92cb898e83f4e1b19fc8718de04d /drivers/target
parenttarget: bounds check XCOPY segment descriptor list (diff)
downloadlinux-7d38706669ce00603b187f667a4eb67c94eac098.tar.xz
linux-7d38706669ce00603b187f667a4eb67c94eac098.zip
target: bounds check XCOPY total descriptor list length
spc4r37 6.4.3.5 states: If the combined length of the CSCD descriptors and segment descriptors exceeds the allowed value, then the copy manager shall terminate the command with CHECK CONDITION status, with the sense key set to ILLEGAL REQUEST, and the additional sense code set to PARAMETER LIST LENGTH ERROR. This functionality can be tested using the libiscsi ExtendedCopy.DescrLimits test. Signed-off-by: David Disseldorp <ddiss@suse.de> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Diffstat (limited to 'drivers/target')
-rw-r--r--drivers/target/target_core_xcopy.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/target/target_core_xcopy.c b/drivers/target/target_core_xcopy.c
index da0f2da732e7..0d10fcf438d1 100644
--- a/drivers/target/target_core_xcopy.c
+++ b/drivers/target/target_core_xcopy.c
@@ -894,6 +894,12 @@ sense_reason_t target_do_xcopy(struct se_cmd *se_cmd)
*/
tdll = get_unaligned_be16(&p[2]);
sdll = get_unaligned_be32(&p[8]);
+ if (tdll + sdll > RCR_OP_MAX_DESC_LIST_LEN) {
+ pr_err("XCOPY descriptor list length %u exceeds maximum %u\n",
+ tdll + sdll, RCR_OP_MAX_DESC_LIST_LEN);
+ ret = TCM_PARAMETER_LIST_LENGTH_ERROR;
+ goto out;
+ }
inline_dl = get_unaligned_be32(&p[12]);
if (inline_dl != 0) {