Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5f9a056d authored by Joe Eykholt's avatar Joe Eykholt Committed by James Bottomley
Browse files

[SCSI] libfc: fix symbolic name registrations smashing skb data 



The strncpy for RSPN_ID and RSNN_NN requests was padding
past the allocated frame size.

Get the string length before filling in the ct header.

Signed-off-by: default avatarJoe Eykholt <jeykholt@cisco.com>
Signed-off-by: default avatarRobert Love <robert.w.love@intel.com>
Signed-off-by: default avatarJames Bottomley <James.Bottomley@suse.de>
parent 6049d95a

include/scsi/fc_encode.h

+9 −8
Original line number Diff line number Diff line
@@ -111,6 +111,7 @@ static inline int fc_ct_fill(struct fc_lport *lport, 
		      enum fc_fh_type *fh_type)

{

	struct fc_ct_req *ct;

	size_t len;



	switch (op) {

	case FC_NS_GPN_FT:
@@ -138,22 +139,22 @@ static inline int fc_ct_fill(struct fc_lport *lport, 
		break;



	case FC_NS_RSPN_ID:

		ct = fc_ct_hdr_fill(fp, op, sizeof(struct fc_ns_rspn));

		len = strnlen(fc_host_symbolic_name(lport->host), 255);

		ct = fc_ct_hdr_fill(fp, op, sizeof(struct fc_ns_rspn) + len);

		hton24(ct->payload.spn.fr_fid.fp_fid,

		       fc_host_port_id(lport->host));

		strncpy(ct->payload.spn.fr_name,

			fc_host_symbolic_name(lport->host), 255);

		ct->payload.spn.fr_name_len =

			strnlen(ct->payload.spn.fr_name, 255);

			fc_host_symbolic_name(lport->host), len);

		ct->payload.spn.fr_name_len = len;

		break;



	case FC_NS_RSNN_NN:

		ct = fc_ct_hdr_fill(fp, op, sizeof(struct fc_ns_rsnn));

		len = strnlen(fc_host_symbolic_name(lport->host), 255);

		ct = fc_ct_hdr_fill(fp, op, sizeof(struct fc_ns_rsnn) + len);

		put_unaligned_be64(lport->wwnn, &ct->payload.snn.fr_wwn);

		strncpy(ct->payload.snn.fr_name,

			fc_host_symbolic_name(lport->host), 255);

		ct->payload.snn.fr_name_len =

			strnlen(ct->payload.snn.fr_name, 255);

			fc_host_symbolic_name(lport->host), len);

		ct->payload.snn.fr_name_len = len;

		break;



	default: