From: Dan Carpenter <dan.carpenter@oracle.com>
To: Vikas Chaudhary <vikas.chaudhary@qlogic.com>,
Adheer Chandravanshi <adheer.chandravanshi@qlogic.com>
Cc: iscsi-driver@qlogic.com,
"James E.J. Bottomley" <JBottomley@parallels.com>,
linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch] [SCSI] qla4xxx: overflow in qla4xxx_set_chap_entry()
Date: Wed, 13 Nov 2013 07:48:11 +0000 [thread overview]
Message-ID: <20131113074811.GF25541@elgon.mountain> (raw)
We should cap the size of memcpy() because it comes from the network
and can't be trusted.
Fixes: 26ffd7b45fe9 ('[SCSI] qla4xxx: Add support to set CHAP entries')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
index a28d5e6..cf174a4 100644
--- a/drivers/scsi/qla4xxx/ql4_os.c
+++ b/drivers/scsi/qla4xxx/ql4_os.c
@@ -802,6 +802,7 @@ static int qla4xxx_set_chap_entry(struct Scsi_Host *shost, void *data, int len)
int type;
int rem = len;
int rc = 0;
+ int size;
memset(&chap_rec, 0, sizeof(chap_rec));
@@ -816,12 +817,14 @@ static int qla4xxx_set_chap_entry(struct Scsi_Host *shost, void *data, int len)
chap_rec.chap_type = param_info->value[0];
break;
case ISCSI_CHAP_PARAM_USERNAME:
- memcpy(chap_rec.username, param_info->value,
- param_info->len);
+ size = min_t(size_t, sizeof(chap_rec.username),
+ param_info->len);
+ memcpy(chap_rec.username, param_info->value, size);
break;
case ISCSI_CHAP_PARAM_PASSWORD:
- memcpy(chap_rec.password, param_info->value,
- param_info->len);
+ size = min_t(size_t, sizeof(chap_rec.password),
+ param_info->len);
+ memcpy(chap_rec.password, param_info->value, size);
break;
case ISCSI_CHAP_PARAM_PASSWORD_LEN:
chap_rec.password_length = param_info->value[0];
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Vikas Chaudhary <vikas.chaudhary@qlogic.com>,
Adheer Chandravanshi <adheer.chandravanshi@qlogic.com>
Cc: iscsi-driver@qlogic.com,
"James E.J. Bottomley" <JBottomley@parallels.com>,
linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch] [SCSI] qla4xxx: overflow in qla4xxx_set_chap_entry()
Date: Wed, 13 Nov 2013 10:48:11 +0300 [thread overview]
Message-ID: <20131113074811.GF25541@elgon.mountain> (raw)
We should cap the size of memcpy() because it comes from the network
and can't be trusted.
Fixes: 26ffd7b45fe9 ('[SCSI] qla4xxx: Add support to set CHAP entries')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
index a28d5e6..cf174a4 100644
--- a/drivers/scsi/qla4xxx/ql4_os.c
+++ b/drivers/scsi/qla4xxx/ql4_os.c
@@ -802,6 +802,7 @@ static int qla4xxx_set_chap_entry(struct Scsi_Host *shost, void *data, int len)
int type;
int rem = len;
int rc = 0;
+ int size;
memset(&chap_rec, 0, sizeof(chap_rec));
@@ -816,12 +817,14 @@ static int qla4xxx_set_chap_entry(struct Scsi_Host *shost, void *data, int len)
chap_rec.chap_type = param_info->value[0];
break;
case ISCSI_CHAP_PARAM_USERNAME:
- memcpy(chap_rec.username, param_info->value,
- param_info->len);
+ size = min_t(size_t, sizeof(chap_rec.username),
+ param_info->len);
+ memcpy(chap_rec.username, param_info->value, size);
break;
case ISCSI_CHAP_PARAM_PASSWORD:
- memcpy(chap_rec.password, param_info->value,
- param_info->len);
+ size = min_t(size_t, sizeof(chap_rec.password),
+ param_info->len);
+ memcpy(chap_rec.password, param_info->value, size);
break;
case ISCSI_CHAP_PARAM_PASSWORD_LEN:
chap_rec.password_length = param_info->value[0];
next reply other threads:[~2013-11-13 7:48 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-13 7:48 Dan Carpenter [this message]
2013-11-13 7:48 ` [patch] [SCSI] qla4xxx: overflow in qla4xxx_set_chap_entry() Dan Carpenter
2013-11-13 11:52 ` Vikas Chaudhary
2013-11-13 11:52 ` Vikas Chaudhary
2013-11-13 12:08 ` Dan Carpenter
2013-11-13 12:08 ` Dan Carpenter
2013-11-13 14:06 ` Dan Carpenter
2013-11-13 14:06 ` Dan Carpenter
2013-11-14 3:53 ` Vikas Chaudhary
2013-11-14 3:53 ` Vikas Chaudhary
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131113074811.GF25541@elgon.mountain \
--to=dan.carpenter@oracle.com \
--cc=JBottomley@parallels.com \
--cc=adheer.chandravanshi@qlogic.com \
--cc=iscsi-driver@qlogic.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=vikas.chaudhary@qlogic.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.