From: Bart Van Assche <bvanassche@acm.org>
To: linux-scsi <linux-scsi@vger.kernel.org>
Cc: Chad Dupuis <chad.dupuis@qlogic.com>,
Saurav Kashyap <saurav.kashyap@qlogic.com>
Subject: [PATCH 07/10] qla2xxx: Help Coverity with analyzing ct_sns_pkt initialization
Date: Wed, 05 Jun 2013 15:07:49 +0200 [thread overview]
Message-ID: <51AF3825.8090401@acm.org> (raw)
In-Reply-To: <51AF36BF.3030602@acm.org>
Coverity reports "Overrunning struct type ct_sns_req of 1228 bytes
by passing it to a function which accesses it at byte offset 8207"
for each qla2x00_prep_ct_req(), qla2x00_prep_ct_fdmi_req() and
qla24xx_prep_ct_fm_req() call. Help Coverity to recognize that
these calls do not trigger a buffer overflow by making it explicit
that these three functions initializes both the request and reply
structures. This patch does not change any functionality.
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Cc: Chad Dupuis <chad.dupuis@qlogic.com>
Cc: Saurav Kashyap <saurav.kashyap@qlogic.com>
---
drivers/scsi/qla2xxx/qla_gs.c | 86 ++++++++++++++++++-----------------------
1 file changed, 38 insertions(+), 48 deletions(-)
diff --git a/drivers/scsi/qla2xxx/qla_gs.c b/drivers/scsi/qla2xxx/qla_gs.c
index f26442a..1ad361b 100644
--- a/drivers/scsi/qla2xxx/qla_gs.c
+++ b/drivers/scsi/qla2xxx/qla_gs.c
@@ -99,17 +99,17 @@ qla24xx_prep_ms_iocb(scsi_qla_host_t *vha, uint32_t req_size, uint32_t rsp_size)
* Returns a pointer to the intitialized @ct_req.
*/
static inline struct ct_sns_req *
-qla2x00_prep_ct_req(struct ct_sns_req *ct_req, uint16_t cmd, uint16_t rsp_size)
+qla2x00_prep_ct_req(struct ct_sns_pkt *p, uint16_t cmd, uint16_t rsp_size)
{
- memset(ct_req, 0, sizeof(struct ct_sns_pkt));
+ memset(p, 0, sizeof(struct ct_sns_pkt));
- ct_req->header.revision = 0x01;
- ct_req->header.gs_type = 0xFC;
- ct_req->header.gs_subtype = 0x02;
- ct_req->command = cpu_to_be16(cmd);
- ct_req->max_rsp_size = cpu_to_be16((rsp_size - 16) / 4);
+ p->p.req.header.revision = 0x01;
+ p->p.req.header.gs_type = 0xFC;
+ p->p.req.header.gs_subtype = 0x02;
+ p->p.req.command = cpu_to_be16(cmd);
+ p->p.req.max_rsp_size = cpu_to_be16((rsp_size - 16) / 4);
- return (ct_req);
+ return &p->p.req;
}
static int
@@ -188,8 +188,7 @@ qla2x00_ga_nxt(scsi_qla_host_t *vha, fc_port_t *fcport)
GA_NXT_RSP_SIZE);
/* Prepare CT request */
- ct_req = qla2x00_prep_ct_req(&ha->ct_sns->p.req, GA_NXT_CMD,
- GA_NXT_RSP_SIZE);
+ ct_req = qla2x00_prep_ct_req(ha->ct_sns, GA_NXT_CMD, GA_NXT_RSP_SIZE);
ct_rsp = &ha->ct_sns->p.rsp;
/* Prepare CT arguments -- port_id */
@@ -284,8 +283,7 @@ qla2x00_gid_pt(scsi_qla_host_t *vha, sw_info_t *list)
gid_pt_rsp_size);
/* Prepare CT request */
- ct_req = qla2x00_prep_ct_req(&ha->ct_sns->p.req, GID_PT_CMD,
- gid_pt_rsp_size);
+ ct_req = qla2x00_prep_ct_req(ha->ct_sns, GID_PT_CMD, gid_pt_rsp_size);
ct_rsp = &ha->ct_sns->p.rsp;
/* Prepare CT arguments -- port_type */
@@ -359,7 +357,7 @@ qla2x00_gpn_id(scsi_qla_host_t *vha, sw_info_t *list)
GPN_ID_RSP_SIZE);
/* Prepare CT request */
- ct_req = qla2x00_prep_ct_req(&ha->ct_sns->p.req, GPN_ID_CMD,
+ ct_req = qla2x00_prep_ct_req(ha->ct_sns, GPN_ID_CMD,
GPN_ID_RSP_SIZE);
ct_rsp = &ha->ct_sns->p.rsp;
@@ -421,7 +419,7 @@ qla2x00_gnn_id(scsi_qla_host_t *vha, sw_info_t *list)
GNN_ID_RSP_SIZE);
/* Prepare CT request */
- ct_req = qla2x00_prep_ct_req(&ha->ct_sns->p.req, GNN_ID_CMD,
+ ct_req = qla2x00_prep_ct_req(ha->ct_sns, GNN_ID_CMD,
GNN_ID_RSP_SIZE);
ct_rsp = &ha->ct_sns->p.rsp;
@@ -495,7 +493,7 @@ qla2x00_rft_id(scsi_qla_host_t *vha)
RFT_ID_RSP_SIZE);
/* Prepare CT request */
- ct_req = qla2x00_prep_ct_req(&ha->ct_sns->p.req, RFT_ID_CMD,
+ ct_req = qla2x00_prep_ct_req(ha->ct_sns, RFT_ID_CMD,
RFT_ID_RSP_SIZE);
ct_rsp = &ha->ct_sns->p.rsp;
@@ -551,8 +549,7 @@ qla2x00_rff_id(scsi_qla_host_t *vha)
RFF_ID_RSP_SIZE);
/* Prepare CT request */
- ct_req = qla2x00_prep_ct_req(&ha->ct_sns->p.req, RFF_ID_CMD,
- RFF_ID_RSP_SIZE);
+ ct_req = qla2x00_prep_ct_req(ha->ct_sns, RFF_ID_CMD, RFF_ID_RSP_SIZE);
ct_rsp = &ha->ct_sns->p.rsp;
/* Prepare CT arguments -- port_id, FC-4 feature, FC-4 type */
@@ -606,8 +603,7 @@ qla2x00_rnn_id(scsi_qla_host_t *vha)
RNN_ID_RSP_SIZE);
/* Prepare CT request */
- ct_req = qla2x00_prep_ct_req(&ha->ct_sns->p.req, RNN_ID_CMD,
- RNN_ID_RSP_SIZE);
+ ct_req = qla2x00_prep_ct_req(ha->ct_sns, RNN_ID_CMD, RNN_ID_RSP_SIZE);
ct_rsp = &ha->ct_sns->p.rsp;
/* Prepare CT arguments -- port_id, node_name */
@@ -676,8 +672,7 @@ qla2x00_rsnn_nn(scsi_qla_host_t *vha)
ms_pkt = ha->isp_ops->prep_ms_iocb(vha, 0, RSNN_NN_RSP_SIZE);
/* Prepare CT request */
- ct_req = qla2x00_prep_ct_req(&ha->ct_sns->p.req, RSNN_NN_CMD,
- RSNN_NN_RSP_SIZE);
+ ct_req = qla2x00_prep_ct_req(ha->ct_sns, RSNN_NN_CMD, RSNN_NN_RSP_SIZE);
ct_rsp = &ha->ct_sns->p.rsp;
/* Prepare CT arguments -- node_name, symbolic node_name, size */
@@ -1262,18 +1257,17 @@ qla2x00_update_ms_fdmi_iocb(scsi_qla_host_t *vha, uint32_t req_size)
* Returns a pointer to the intitialized @ct_req.
*/
static inline struct ct_sns_req *
-qla2x00_prep_ct_fdmi_req(struct ct_sns_req *ct_req, uint16_t cmd,
- uint16_t rsp_size)
+qla2x00_prep_ct_fdmi_req(struct ct_sns_pkt *p, uint16_t cmd, uint16_t rsp_size)
{
- memset(ct_req, 0, sizeof(struct ct_sns_pkt));
+ memset(p, 0, sizeof(struct ct_sns_pkt));
- ct_req->header.revision = 0x01;
- ct_req->header.gs_type = 0xFA;
- ct_req->header.gs_subtype = 0x10;
- ct_req->command = cpu_to_be16(cmd);
- ct_req->max_rsp_size = cpu_to_be16((rsp_size - 16) / 4);
+ p->p.req.header.revision = 0x01;
+ p->p.req.header.gs_type = 0xFA;
+ p->p.req.header.gs_subtype = 0x10;
+ p->p.req.command = cpu_to_be16(cmd);
+ p->p.req.max_rsp_size = cpu_to_be16((rsp_size - 16) / 4);
- return ct_req;
+ return &p->p.req;
}
/**
@@ -1301,8 +1295,7 @@ qla2x00_fdmi_rhba(scsi_qla_host_t *vha)
ms_pkt = ha->isp_ops->prep_ms_fdmi_iocb(vha, 0, RHBA_RSP_SIZE);
/* Prepare CT request */
- ct_req = qla2x00_prep_ct_fdmi_req(&ha->ct_sns->p.req, RHBA_CMD,
- RHBA_RSP_SIZE);
+ ct_req = qla2x00_prep_ct_fdmi_req(ha->ct_sns, RHBA_CMD, RHBA_RSP_SIZE);
ct_rsp = &ha->ct_sns->p.rsp;
/* Prepare FDMI command arguments -- attribute block, attributes. */
@@ -1490,8 +1483,7 @@ qla2x00_fdmi_dhba(scsi_qla_host_t *vha)
DHBA_RSP_SIZE);
/* Prepare CT request */
- ct_req = qla2x00_prep_ct_fdmi_req(&ha->ct_sns->p.req, DHBA_CMD,
- DHBA_RSP_SIZE);
+ ct_req = qla2x00_prep_ct_fdmi_req(ha->ct_sns, DHBA_CMD, DHBA_RSP_SIZE);
ct_rsp = &ha->ct_sns->p.rsp;
/* Prepare FDMI command arguments -- portname. */
@@ -1547,8 +1539,7 @@ qla2x00_fdmi_rpa(scsi_qla_host_t *vha)
ms_pkt = ha->isp_ops->prep_ms_fdmi_iocb(vha, 0, RPA_RSP_SIZE);
/* Prepare CT request */
- ct_req = qla2x00_prep_ct_fdmi_req(&ha->ct_sns->p.req, RPA_CMD,
- RPA_RSP_SIZE);
+ ct_req = qla2x00_prep_ct_fdmi_req(ha->ct_sns, RPA_CMD, RPA_RSP_SIZE);
ct_rsp = &ha->ct_sns->p.rsp;
/* Prepare FDMI command arguments -- attribute block, attributes. */
@@ -1775,7 +1766,7 @@ qla2x00_gfpn_id(scsi_qla_host_t *vha, sw_info_t *list)
GFPN_ID_RSP_SIZE);
/* Prepare CT request */
- ct_req = qla2x00_prep_ct_req(&ha->ct_sns->p.req, GFPN_ID_CMD,
+ ct_req = qla2x00_prep_ct_req(ha->ct_sns, GFPN_ID_CMD,
GFPN_ID_RSP_SIZE);
ct_rsp = &ha->ct_sns->p.rsp;
@@ -1842,18 +1833,17 @@ qla24xx_prep_ms_fm_iocb(scsi_qla_host_t *vha, uint32_t req_size,
static inline struct ct_sns_req *
-qla24xx_prep_ct_fm_req(struct ct_sns_req *ct_req, uint16_t cmd,
- uint16_t rsp_size)
+qla24xx_prep_ct_fm_req(struct ct_sns_pkt *p, uint16_t cmd, uint16_t rsp_size)
{
- memset(ct_req, 0, sizeof(struct ct_sns_pkt));
+ memset(p, 0, sizeof(struct ct_sns_pkt));
- ct_req->header.revision = 0x01;
- ct_req->header.gs_type = 0xFA;
- ct_req->header.gs_subtype = 0x01;
- ct_req->command = cpu_to_be16(cmd);
- ct_req->max_rsp_size = cpu_to_be16((rsp_size - 16) / 4);
+ p->p.req.header.revision = 0x01;
+ p->p.req.header.gs_type = 0xFA;
+ p->p.req.header.gs_subtype = 0x01;
+ p->p.req.command = cpu_to_be16(cmd);
+ p->p.req.max_rsp_size = cpu_to_be16((rsp_size - 16) / 4);
- return ct_req;
+ return &p->p.req;
}
/**
@@ -1889,7 +1879,7 @@ qla2x00_gpsc(scsi_qla_host_t *vha, sw_info_t *list)
GPSC_RSP_SIZE);
/* Prepare CT request */
- ct_req = qla24xx_prep_ct_fm_req(&ha->ct_sns->p.req,
+ ct_req = qla24xx_prep_ct_fm_req(ha->ct_sns,
GPSC_CMD, GPSC_RSP_SIZE);
ct_rsp = &ha->ct_sns->p.rsp;
@@ -2000,7 +1990,7 @@ qla2x00_gff_id(scsi_qla_host_t *vha, sw_info_t *list)
GFF_ID_RSP_SIZE);
/* Prepare CT request */
- ct_req = qla2x00_prep_ct_req(&ha->ct_sns->p.req, GFF_ID_CMD,
+ ct_req = qla2x00_prep_ct_req(ha->ct_sns, GFF_ID_CMD,
GFF_ID_RSP_SIZE);
ct_rsp = &ha->ct_sns->p.rsp;
--
1.7.10.4
next prev parent reply other threads:[~2013-06-05 13:07 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-05 13:01 [PATCH 0/10] qla2xxx: Reduce the number of Coverity warnings Bart Van Assche
2013-06-05 13:02 ` [PATCH 01/10] qla2xxx: Clean up qla24xx_iidma() Bart Van Assche
2013-06-12 8:05 ` Saurav Kashyap
2013-06-12 18:59 ` James Bottomley
2013-06-13 5:20 ` Saurav Kashyap
2013-06-05 13:03 ` [PATCH 02/10] qla2xxx: Clean up qla84xx_mgmt_cmd() Bart Van Assche
2013-06-12 8:06 ` Saurav Kashyap
2013-06-05 13:04 ` [PATCH 03/10] qla2xxx: Remove dead code in qla2x00_configure_hba() Bart Van Assche
2013-06-12 8:08 ` Saurav Kashyap
2013-06-05 13:05 ` [PATCH 04/10] qla2xxx: Remove two superfluous tests Bart Van Assche
2013-06-12 8:08 ` Saurav Kashyap
2013-06-05 13:06 ` [PATCH 05/10] qla2xxx: Remove a dead assignment in qla24xx_build_scsi_crc_2_iocbs() Bart Van Assche
2013-06-12 8:08 ` Saurav Kashyap
2013-06-05 13:06 ` [PATCH 06/10] qla2xxx: Remove redundant assignments Bart Van Assche
2013-06-12 8:09 ` Saurav Kashyap
2013-06-05 13:07 ` Bart Van Assche [this message]
2013-06-12 8:09 ` [PATCH 07/10] qla2xxx: Help Coverity with analyzing ct_sns_pkt initialization Saurav Kashyap
2013-06-05 13:08 ` [PATCH 08/10] qla2xxx: Fix qla2xxx_check_risc_status() Bart Van Assche
2013-06-12 8:10 ` Saurav Kashyap
2013-06-05 13:09 ` [PATCH 09/10] qla2xxx: Remove an unused variable from qla2x00_remove_one() Bart Van Assche
2013-06-12 8:10 ` Saurav Kashyap
2013-06-05 13:09 ` [PATCH 10/10] qla2xxx: Fix a memory leak in an error path of qla2x00_process_els() Bart Van Assche
2013-06-12 8:11 ` Saurav Kashyap
2013-06-07 19:06 ` [PATCH 0/10] qla2xxx: Reduce the number of Coverity warnings Saurav Kashyap
2013-06-08 8:27 ` Bart Van Assche
2013-06-12 8:03 ` Saurav Kashyap
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51AF3825.8090401@acm.org \
--to=bvanassche@acm.org \
--cc=chad.dupuis@qlogic.com \
--cc=linux-scsi@vger.kernel.org \
--cc=saurav.kashyap@qlogic.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.