Skip to content

Commit feb3cc5

Browse files
Dick Kennedymartinkpetersen
Dick Kennedy
authored and
martinkpetersen
committed
scsi: lpfc: Fix validation of bsg reply lengths
There are a couple of code areas which validate sufficient reply buffer length, but the checks are using the request elements rather than the reply elements. Rework to validate using the reply structures. Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Dick Kennedy <[email protected]> Signed-off-by: James Smart <[email protected]> Signed-off-by: Martin K. Petersen <[email protected]>
1 parent 678768d commit feb3cc5

File tree

1 file changed

+8
-13
lines changed

1 file changed

+8
-13
lines changed

drivers/scsi/lpfc/lpfc_bsg.c

Lines changed: 8 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -2494,13 +2494,12 @@ lpfc_sli4_bsg_link_diag_test(struct bsg_job *job)
24942494
diag_status_reply = (struct diag_status *)
24952495
bsg_reply->reply_data.vendor_reply.vendor_rsp;
24962496

2497-
if (job->reply_len <
2498-
sizeof(struct fc_bsg_request) + sizeof(struct diag_status)) {
2497+
if (job->reply_len < sizeof(*bsg_reply) + sizeof(*diag_status_reply)) {
24992498
lpfc_printf_log(phba, KERN_WARNING, LOG_LIBDFC,
25002499
"3012 Received Run link diag test reply "
25012500
"below minimum size (%d): reply_len:%d\n",
2502-
(int)(sizeof(struct fc_bsg_request) +
2503-
sizeof(struct diag_status)),
2501+
(int)(sizeof(*bsg_reply) +
2502+
sizeof(*diag_status_reply)),
25042503
job->reply_len);
25052504
rc = -EINVAL;
25062505
goto job_error;
@@ -3418,8 +3417,7 @@ lpfc_bsg_get_dfc_rev(struct bsg_job *job)
34183417
event_reply = (struct get_mgmt_rev_reply *)
34193418
bsg_reply->reply_data.vendor_reply.vendor_rsp;
34203419

3421-
if (job->reply_len <
3422-
sizeof(struct fc_bsg_request) + sizeof(struct get_mgmt_rev_reply)) {
3420+
if (job->reply_len < sizeof(*bsg_reply) + sizeof(*event_reply)) {
34233421
lpfc_printf_log(phba, KERN_WARNING, LOG_LIBDFC,
34243422
"2741 Received GET_DFC_REV reply below "
34253423
"minimum size\n");
@@ -5202,8 +5200,8 @@ lpfc_menlo_cmd(struct bsg_job *job)
52025200
goto no_dd_data;
52035201
}
52045202

5205-
if (job->reply_len <
5206-
sizeof(struct fc_bsg_request) + sizeof(struct menlo_response)) {
5203+
if (job->reply_len < sizeof(*bsg_reply) +
5204+
sizeof(struct menlo_response)) {
52075205
lpfc_printf_log(phba, KERN_WARNING, LOG_LIBDFC,
52085206
"2785 Received MENLO_CMD reply below "
52095207
"minimum size\n");
@@ -5359,9 +5357,7 @@ lpfc_forced_link_speed(struct bsg_job *job)
53595357
forced_reply = (struct forced_link_speed_support_reply *)
53605358
bsg_reply->reply_data.vendor_reply.vendor_rsp;
53615359

5362-
if (job->reply_len <
5363-
sizeof(struct fc_bsg_request) +
5364-
sizeof(struct forced_link_speed_support_reply)) {
5360+
if (job->reply_len < sizeof(*bsg_reply) + sizeof(*forced_reply)) {
53655361
lpfc_printf_log(phba, KERN_WARNING, LOG_LIBDFC,
53665362
"0049 Received FORCED_LINK_SPEED reply below "
53675363
"minimum size\n");
@@ -5715,8 +5711,7 @@ lpfc_get_trunk_info(struct bsg_job *job)
57155711
event_reply = (struct lpfc_trunk_info *)
57165712
bsg_reply->reply_data.vendor_reply.vendor_rsp;
57175713

5718-
if (job->reply_len <
5719-
sizeof(struct fc_bsg_request) + sizeof(struct lpfc_trunk_info)) {
5714+
if (job->reply_len < sizeof(*bsg_reply) + sizeof(*event_reply)) {
57205715
lpfc_printf_log(phba, KERN_WARNING, LOG_LIBDFC,
57215716
"2728 Received GET TRUNK _INFO reply below "
57225717
"minimum size\n");

0 commit comments

Comments
 (0)