scsi: iscsi: Verify lengths on passthrough PDUs (56c108c6) · Commits · e / devices / android_kernel_sony_msm8998

drivers/scsi/scsi_transport_iscsi.c

+9 −0

Original line number	Original line	Diff line number	Diff line
	@@ -3526,6 +3526,7 @@ static int
	iscsi_if_recv_msg(struct sk_buff skb, struct nlmsghdr nlh, uint32_t *group)		iscsi_if_recv_msg(struct sk_buff skb, struct nlmsghdr nlh, uint32_t *group)
	{		{
	int err = 0;		int err = 0;
			u32 pdu_len;
	struct iscsi_uevent *ev = nlmsg_data(nlh);		struct iscsi_uevent *ev = nlmsg_data(nlh);
	struct iscsi_transport *transport = NULL;		struct iscsi_transport *transport = NULL;
	struct iscsi_internal *priv;		struct iscsi_internal *priv;
	@@ -3641,6 +3642,14 @@ iscsi_if_recv_msg(struct sk_buff skb, struct nlmsghdr nlh, uint32_t *group)
	err = -EINVAL;		err = -EINVAL;
	break;		break;
	case ISCSI_UEVENT_SEND_PDU:		case ISCSI_UEVENT_SEND_PDU:
			pdu_len = nlh->nlmsg_len - sizeof(nlh) - sizeof(ev);

			if ((ev->u.send_pdu.hdr_size > pdu_len) \|\|
			(ev->u.send_pdu.data_size > (pdu_len - ev->u.send_pdu.hdr_size))) {
			err = -EINVAL;
			break;
			}

	conn = iscsi_conn_lookup(ev->u.send_pdu.sid, ev->u.send_pdu.cid);		conn = iscsi_conn_lookup(ev->u.send_pdu.sid, ev->u.send_pdu.cid);
	if (conn)		if (conn)
	ev->r.retcode = transport->send_pdu(conn,		ev->r.retcode = transport->send_pdu(conn,