Commit 7d387066 authored Dec 23, 2016 by David Disseldorp Committed by Bart Van Assche Jan 10, 2017

target: bounds check XCOPY total descriptor list length



spc4r37 6.4.3.5 states:
  If the combined length of the CSCD descriptors and segment descriptors
  exceeds the allowed value, then the copy manager shall terminate the
  command with CHECK CONDITION status, with the sense key set to ILLEGAL
  REQUEST, and the additional sense code set to PARAMETER LIST LENGTH
  ERROR.

This functionality can be tested using the libiscsi
ExtendedCopy.DescrLimits test.

Signed-off-by: David Disseldorp <ddiss@suse.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>

parent af9f62c1

drivers/target/target_core_xcopy.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -894,6 +894,12 @@ sense_reason_t target_do_xcopy(struct se_cmd *se_cmd)
		*/
		tdll = get_unaligned_be16(&p[2]);
		sdll = get_unaligned_be32(&p[8]);
		if (tdll + sdll > RCR_OP_MAX_DESC_LIST_LEN) {
		pr_err("XCOPY descriptor list length %u exceeds maximum %u\n",
		tdll + sdll, RCR_OP_MAX_DESC_LIST_LEN);
		ret = TCM_PARAMETER_LIST_LENGTH_ERROR;
		goto out;
		}

		inline_dl = get_unaligned_be32(&p[12]);
		if (inline_dl != 0) {