summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorNicholas Bellinger <nab@linux-iscsi.org>2013-12-19 23:13:28 +0100
committerNicholas Bellinger <nab@linux-iscsi.org>2014-01-10 06:48:38 +0100
commitf82f320edc1e26320bd7e58b347d5616e6a23ff2 (patch)
treee46887b340762c45358f8141c533aaba66b0ea05 /drivers
parenttarget_core_alua: check for buffer overflow (diff)
downloadlinux-f82f320edc1e26320bd7e58b347d5616e6a23ff2.tar.xz
linux-f82f320edc1e26320bd7e58b347d5616e6a23ff2.zip
target: Convert inquiry temporary buffer to heap memory
This patch converts the temporary buffer in spc_emulate_inquiry() to use dynamically allocated memory, instead of local stack memory. Also bump SE_INQUIRY_BUF up to 1024 bytes to be safe when handling multiple large SCSI name descriptors for EVPD=0x83. Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/target/target_core_spc.c11
1 files changed, 8 insertions, 3 deletions
diff --git a/drivers/target/target_core_spc.c b/drivers/target/target_core_spc.c
index f9889fd82994..279d26062f69 100644
--- a/drivers/target/target_core_spc.c
+++ b/drivers/target/target_core_spc.c
@@ -697,11 +697,15 @@ spc_emulate_inquiry(struct se_cmd *cmd)
struct se_portal_group *tpg = cmd->se_lun->lun_sep->sep_tpg;
unsigned char *rbuf;
unsigned char *cdb = cmd->t_task_cdb;
- unsigned char buf[SE_INQUIRY_BUF];
+ unsigned char *buf;
sense_reason_t ret;
int p;
- memset(buf, 0, SE_INQUIRY_BUF);
+ buf = kzalloc(SE_INQUIRY_BUF, GFP_KERNEL);
+ if (!buf) {
+ pr_err("Unable to allocate response buffer for INQUIRY\n");
+ return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
+ }
if (dev == tpg->tpg_virt_lun0.lun_se_dev)
buf[0] = 0x3f; /* Not connected */
@@ -734,9 +738,10 @@ spc_emulate_inquiry(struct se_cmd *cmd)
out:
rbuf = transport_kmap_data_sg(cmd);
if (rbuf) {
- memcpy(rbuf, buf, min_t(u32, sizeof(buf), cmd->data_length));
+ memcpy(rbuf, buf, min_t(u32, SE_INQUIRY_BUF, cmd->data_length));
transport_kunmap_data_sg(cmd);
}
+ kfree(buf);
if (!ret)
target_complete_cmd(cmd, GOOD);