Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bbf344e5 authored by Hannes Reinecke's avatar Hannes Reinecke Committed by Nicholas Bellinger
Browse files

target_core_rd: break out unterminated loop during copy 



The loop in rd_execute_rw() will never terminate if the
sg element has a zero size. Or it'll spill over into
outer space if the sg element is larger than the available
space.
So we need to add some safety catches here.

Cc: Nic Bellinger <nab@risingtidesystems.com>
Signed-off-by: default avatarHannes Reinecke <hare@suse.de>
Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
parent 1b7f390e

drivers/target/target_core_rd.c

+12 −0
Original line number Diff line number Diff line
@@ -316,7 +316,19 @@ rd_execute_rw(struct se_cmd *cmd) 
		void *rd_addr;



		sg_miter_next(&m);

		if (!(u32)m.length) {

			pr_debug("RD[%u]: invalid sgl %p len %zu\n",

				 dev->rd_dev_id, m.addr, m.length);

			sg_miter_stop(&m);

			return TCM_INCORRECT_AMOUNT_OF_DATA;

		}

		len = min((u32)m.length, src_len);

		if (len > rd_size) {

			pr_debug("RD[%u]: size underrun page %d offset %d "

				 "size %d\n", dev->rd_dev_id,

				 rd_page, rd_offset, rd_size);

			len = rd_size;

		}

		m.consumed = len;



		rd_addr = sg_virt(rd_sg) + rd_offset;