adulau/aha
1
0
Fork 0
mirror of https://github.com/adulau/aha.git synced 2025-01-02 14:13:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

[SCSI] libiscsi: fix senselen calculation

Browse source 
Yanling Qi, noted that when the sense data length of
a check-condition is greater than 0x7f (127), senselen = (data[0] << 8)
| data[1] will become negative. It causes different kinds of panics from
GPF, spin_lock deadlock to spin_lock recursion.

We were also swapping this value on big endien machines.

This patch fixes both issues by using be16_to_cpu().

Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
This commit is contained in:
Mike Christie 2006-12-17 12:10:28 -06:00 committed by James Bottomley
parent 94cb3f822b
commit 9b80cb4be1
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
drivers/scsi/libiscsi.c
View file

@ -260,7 +260,7 @@ static int iscsi_scsi_cmd_rsp(struct iscsi_conn *conn, struct iscsi_hdr *hdr,
} }
if (rhdr->cmd_status == SAM_STAT_CHECK_CONDITION) { if (rhdr->cmd_status == SAM_STAT_CHECK_CONDITION) {
int senselen; uint16_t senselen;
if (datalen < 2) { if (datalen < 2) {
invalid_datalen: invalid_datalen:
@ -270,12 +270,12 @@ invalid_datalen:
goto out; goto out;
} }
senselen = (data[0] << 8) | data[1]; senselen = be16_to_cpu(*(uint16_t *)data);
if (datalen < senselen) if (datalen < senselen)
goto invalid_datalen; goto invalid_datalen;
memcpy(sc->sense_buffer, data + 2, memcpy(sc->sense_buffer, data + 2,
min(senselen, SCSI_SENSE_BUFFERSIZE)); min_t(uint16_t, senselen, SCSI_SENSE_BUFFERSIZE));
debug_scsi("copied %d bytes of sense\n", debug_scsi("copied %d bytes of sense\n",
min(senselen, SCSI_SENSE_BUFFERSIZE)); min(senselen, SCSI_SENSE_BUFFERSIZE));
} }