From 99f730d88fd0a25c3e2dfc357bde4cf6b8cb5b40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Engel?= Date: Thu, 16 Feb 2012 11:14:27 -0500 Subject: target: Fix off-by-seven in target_report_luns cdb_offset is always equal to offset - 8, so remove that one. More importantly, the existing code only worked correct if se_cmd->data_length is a multiple of 8. Pass in a length of, say, 9 and we will happily overwrite 7 bytes of "unallocated" memory. Now, afaics this bug is currently harmless, as allocations will implicitly be padded to multiples of 8 bytes. But depending on such a fact wouldn't qualify as sound engineering practice. Signed-off-by: Joern Engel Signed-off-by: Nicholas Bellinger diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c index 36fa75d..5cfaa4b 100644 --- a/drivers/target/target_core_device.c +++ b/drivers/target/target_core_device.c @@ -650,7 +650,7 @@ int target_report_luns(struct se_task *se_task) struct se_lun *se_lun; struct se_session *se_sess = se_cmd->se_sess; unsigned char *buf; - u32 cdb_offset = 0, lun_count = 0, offset = 8, i; + u32 lun_count = 0, offset = 8, i; buf = transport_kmap_data_sg(se_cmd); if (!buf) @@ -679,12 +679,11 @@ int target_report_luns(struct se_task *se_task) * See SPC2-R20 7.19. */ lun_count++; - if ((cdb_offset + 8) >= se_cmd->data_length) + if ((offset + 8) > se_cmd->data_length) continue; int_to_scsilun(deve->mapped_lun, (struct scsi_lun *)&buf[offset]); offset += 8; - cdb_offset += 8; } spin_unlock_irq(&se_sess->se_node_acl->device_list_lock); -- cgit v0.10.2