diff options
author | Nicholas Bellinger <nab@linux-iscsi.org> | 2013-12-19 23:13:28 +0100 |
---|---|---|
committer | Nicholas Bellinger <nab@linux-iscsi.org> | 2014-01-10 06:48:38 +0100 |
commit | f82f320edc1e26320bd7e58b347d5616e6a23ff2 (patch) | |
tree | e46887b340762c45358f8141c533aaba66b0ea05 /drivers | |
parent | target_core_alua: check for buffer overflow (diff) | |
download | linux-f82f320edc1e26320bd7e58b347d5616e6a23ff2.tar.xz linux-f82f320edc1e26320bd7e58b347d5616e6a23ff2.zip |
target: Convert inquiry temporary buffer to heap memory
This patch converts the temporary buffer in spc_emulate_inquiry() to
use dynamically allocated memory, instead of local stack memory.
Also bump SE_INQUIRY_BUF up to 1024 bytes to be safe when handling
multiple large SCSI name descriptors for EVPD=0x83.
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/target/target_core_spc.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/drivers/target/target_core_spc.c b/drivers/target/target_core_spc.c index f9889fd82994..279d26062f69 100644 --- a/drivers/target/target_core_spc.c +++ b/drivers/target/target_core_spc.c @@ -697,11 +697,15 @@ spc_emulate_inquiry(struct se_cmd *cmd) struct se_portal_group *tpg = cmd->se_lun->lun_sep->sep_tpg; unsigned char *rbuf; unsigned char *cdb = cmd->t_task_cdb; - unsigned char buf[SE_INQUIRY_BUF]; + unsigned char *buf; sense_reason_t ret; int p; - memset(buf, 0, SE_INQUIRY_BUF); + buf = kzalloc(SE_INQUIRY_BUF, GFP_KERNEL); + if (!buf) { + pr_err("Unable to allocate response buffer for INQUIRY\n"); + return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; + } if (dev == tpg->tpg_virt_lun0.lun_se_dev) buf[0] = 0x3f; /* Not connected */ @@ -734,9 +738,10 @@ spc_emulate_inquiry(struct se_cmd *cmd) out: rbuf = transport_kmap_data_sg(cmd); if (rbuf) { - memcpy(rbuf, buf, min_t(u32, sizeof(buf), cmd->data_length)); + memcpy(rbuf, buf, min_t(u32, SE_INQUIRY_BUF, cmd->data_length)); transport_kunmap_data_sg(cmd); } + kfree(buf); if (!ret) target_complete_cmd(cmd, GOOD); |