[PATCH 1/1] cxgbit_target: Reject immediate data underflow larger than SCSI transfer length

[PATCH 1/1] cxgbit_target: Reject immediate data underflow larger than SCSI transfer length

[Xiaohui Zhang]

Similar to the handling of iscsit_get_immediate_data in commit abb85a9b512e
("iscsi-target: Reject immediate data underflow larger than SCSI transfer length"),
we thought a patch might be needed here as well.

Signed-off-by: Xiaohui Zhang <xiaohuizhang@ruc.edu.cn>
---
 drivers/target/iscsi/cxgbit/cxgbit_target.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/target/iscsi/cxgbit/cxgbit_target.c b/drivers/target/iscsi/cxgbit/cxgbit_target.c
index acfc39683c87..800bec4b1e88 100644
--- a/drivers/target/iscsi/cxgbit/cxgbit_target.c
+++ b/drivers/target/iscsi/cxgbit/cxgbit_target.c
@@ -920,6 +920,18 @@ cxgbit_get_immediate_data(struct iscsit_cmd *cmd, struct iscsi_scsi_req *hdr,
 	 */
 	if (dump_payload)
 		goto after_immediate_data;
+	/*
+	 * Check for underflow case where both EDTL and immediate data payload
+	 * exceeds what is presented by CDB's TRANSFER LENGTH, and what has
+	 * already been set in target_cmd_size_check() as se_cmd->data_length.
+	 *
+	 * For this special case, fail the command and dump the immediate data
+	 * payload.
+	 */
+	if (cmd->first_burst_len > cmd->se_cmd.data_length) {
+		cmd->sense_reason = TCM_INVALID_CDB_FIELD;
+		goto after_immediate_data;
+	}
 
 	immed_ret = cxgbit_handle_immediate_data(cmd, hdr,
 						 cmd->first_burst_len);
-- 
2.17.1

Re: [PATCH 1/1] cxgbit_target: Reject immediate data underflow larger than SCSI transfer length

[Mike Christie]

On 6/7/22 9:30 AM, Xiaohui Zhang wrote:
> Similar to the handling of iscsit_get_immediate_data in commit abb85a9b512e
> ("iscsi-target: Reject immediate data underflow larger than SCSI transfer length"),
> we thought a patch might be needed here as well.
> 
> Signed-off-by: Xiaohui Zhang <xiaohuizhang@ruc.edu.cn>
> ---
>  drivers/target/iscsi/cxgbit/cxgbit_target.c | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 
> diff --git a/drivers/target/iscsi/cxgbit/cxgbit_target.c b/drivers/target/iscsi/cxgbit/cxgbit_target.c
> index acfc39683c87..800bec4b1e88 100644
> --- a/drivers/target/iscsi/cxgbit/cxgbit_target.c
> +++ b/drivers/target/iscsi/cxgbit/cxgbit_target.c
> @@ -920,6 +920,18 @@ cxgbit_get_immediate_data(struct iscsit_cmd *cmd, struct iscsi_scsi_req *hdr,
>  	 */
>  	if (dump_payload)
>  		goto after_immediate_data;
> +	/*
> +	 * Check for underflow case where both EDTL and immediate data payload
> +	 * exceeds what is presented by CDB's TRANSFER LENGTH, and what has
> +	 * already been set in target_cmd_size_check() as se_cmd->data_length.
> +	 *
> +	 * For this special case, fail the command and dump the immediate data
> +	 * payload.
> +	 */
> +	if (cmd->first_burst_len > cmd->se_cmd.data_length) {
> +		cmd->sense_reason = TCM_INVALID_CDB_FIELD;
> +		goto after_immediate_data;
> +	}
>  

Do you need something like Bart's patch:

commit 4b3766ec0e1840f45bc9238e7e749922bdcb7016
Author: Bart Van Assche <bvanassche@acm.org>
Date:   Tue Apr 2 12:58:15 2019 -0700

    scsi: target/iscsi: Make sure PDU processing continues if parsing a command fails

with your patch or does cxgb avoid that somehow?