Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c8026732 authored by Raghava Aditya Renukunta's avatar Raghava Aditya Renukunta Committed by Martin K. Petersen
Browse files

scsi: aacraid: Fix out of bounds in aac_get_name_resp 



We terminate the aac_get_name_resp on a byte that is outside the bounds
of the structure. Extend the return response by one byte to remove the
out of bounds reference.

Fixes: b836439f ("aacraid: 4KB sector support")
Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarDavid Carroll <david.carroll@microsemi.com>
Signed-off-by: default avatarRaghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Reviewed-by: default avatarBart Van Assche <bart.vanassche@wdc.com>
Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
parent 82f0fd06

drivers/scsi/aacraid/aachba.c

+7 −2
Original line number Diff line number Diff line
@@ -549,7 +549,9 @@ static void get_container_name_callback(void *context, struct fib * fibptr) 
	if ((le32_to_cpu(get_name_reply->status) == CT_OK)

	 && (get_name_reply->data[0] != '\0')) {

		char *sp = get_name_reply->data;

		sp[sizeof(((struct aac_get_name_resp *)NULL)->data)] = '\0';

		int data_size = FIELD_SIZEOF(struct aac_get_name_resp, data);



		sp[data_size - 1] = '\0';

		while (*sp == ' ')

			++sp;

		if (*sp) {
@@ -579,12 +581,15 @@ static void get_container_name_callback(void *context, struct fib * fibptr) 
static int aac_get_container_name(struct scsi_cmnd * scsicmd)

{

	int status;

	int data_size;

	struct aac_get_name *dinfo;

	struct fib * cmd_fibcontext;

	struct aac_dev * dev;



	dev = (struct aac_dev *)scsicmd->device->host->hostdata;



	data_size = FIELD_SIZEOF(struct aac_get_name_resp, data);



	cmd_fibcontext = aac_fib_alloc_tag(dev, scsicmd);



	aac_fib_init(cmd_fibcontext);
@@ -593,7 +598,7 @@ static int aac_get_container_name(struct scsi_cmnd * scsicmd) 
	dinfo->command = cpu_to_le32(VM_ContainerConfig);

	dinfo->type = cpu_to_le32(CT_READ_NAME);

	dinfo->cid = cpu_to_le32(scmd_id(scsicmd));

	dinfo->count = cpu_to_le32(sizeof(((struct aac_get_name_resp *)NULL)->data));

	dinfo->count = cpu_to_le32(data_size - 1);



	status = aac_fib_send(ContainerCommand,

		  cmd_fibcontext,

drivers/scsi/aacraid/aacraid.h

+1 −1
Original line number Diff line number Diff line
@@ -2274,7 +2274,7 @@ struct aac_get_name_resp { 
	__le32		parm3;

	__le32		parm4;

	__le32		parm5;

	u8		data[16];

	u8		data[17];

};



#define CT_CID_TO_32BITS_UID 165