Skip to content

Commit c802673

Browse files
Raghava Aditya Renukuntamartinkpetersen
Raghava Aditya Renukunta
authored and
martinkpetersen
committed
scsi: aacraid: Fix out of bounds in aac_get_name_resp
We terminate the aac_get_name_resp on a byte that is outside the bounds of the structure. Extend the return response by one byte to remove the out of bounds reference. Fixes: b836439 ("aacraid: 4KB sector support") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David Carroll <david.carroll@microsemi.com> Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com> Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
1 parent 82f0fd0 commit c802673

File tree

2 files changed

+8
-3
lines changed

2 files changed

+8
-3
lines changed

drivers/scsi/aacraid/aachba.c

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -549,7 +549,9 @@ static void get_container_name_callback(void *context, struct fib * fibptr)
549549
if ((le32_to_cpu(get_name_reply->status) == CT_OK)
550550
&& (get_name_reply->data[0] != '\0')) {
551551
char *sp = get_name_reply->data;
552-
sp[sizeof(((struct aac_get_name_resp *)NULL)->data)] = '\0';
552+
int data_size = FIELD_SIZEOF(struct aac_get_name_resp, data);
553+
554+
sp[data_size - 1] = '\0';
553555
while (*sp == ' ')
554556
++sp;
555557
if (*sp) {
@@ -579,12 +581,15 @@ static void get_container_name_callback(void *context, struct fib * fibptr)
579581
static int aac_get_container_name(struct scsi_cmnd * scsicmd)
580582
{
581583
int status;
584+
int data_size;
582585
struct aac_get_name *dinfo;
583586
struct fib * cmd_fibcontext;
584587
struct aac_dev * dev;
585588

586589
dev = (struct aac_dev *)scsicmd->device->host->hostdata;
587590

591+
data_size = FIELD_SIZEOF(struct aac_get_name_resp, data);
592+
588593
cmd_fibcontext = aac_fib_alloc_tag(dev, scsicmd);
589594

590595
aac_fib_init(cmd_fibcontext);
@@ -593,7 +598,7 @@ static int aac_get_container_name(struct scsi_cmnd * scsicmd)
593598
dinfo->command = cpu_to_le32(VM_ContainerConfig);
594599
dinfo->type = cpu_to_le32(CT_READ_NAME);
595600
dinfo->cid = cpu_to_le32(scmd_id(scsicmd));
596-
dinfo->count = cpu_to_le32(sizeof(((struct aac_get_name_resp *)NULL)->data));
601+
dinfo->count = cpu_to_le32(data_size - 1);
597602

598603
status = aac_fib_send(ContainerCommand,
599604
cmd_fibcontext,

drivers/scsi/aacraid/aacraid.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2274,7 +2274,7 @@ struct aac_get_name_resp {
22742274
__le32 parm3;
22752275
__le32 parm4;
22762276
__le32 parm5;
2277-
u8 data[16];
2277+
u8 data[17];
22782278
};
22792279

22802280
#define CT_CID_TO_32BITS_UID 165

0 commit comments

Comments
 (0)