| From 48d1a8d0c26cda3f054278080b93fd0105230d9a Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Tue, 28 Apr 2020 16:19:39 +0300 |
| Subject: scsi: qedi: Check for buffer overflow in qedi_set_path() |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| [ Upstream commit 4a4c0cfb4be74e216dd4446b254594707455bfc6 ] |
| |
| Smatch complains that the "path_data->handle" variable is user controlled. |
| It comes from iscsi_set_path() so that seems possible. It's harmless to |
| add a limit check. |
| |
| The qedi->ep_tbl[] array has qedi->max_active_conns elements (which is |
| always ISCSI_MAX_SESS_PER_HBA (4096) elements). The array is allocated in |
| the qedi_cm_alloc_mem() function. |
| |
| Link: https://lore.kernel.org/r/20200428131939.GA696531@mwanda |
| Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.") |
| Acked-by: Manish Rangankar <mrangankar@marvell.com> |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/scsi/qedi/qedi_iscsi.c | 4 ++++ |
| 1 file changed, 4 insertions(+) |
| |
| diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c |
| index 94f3829b1974a..1effac1111d5e 100644 |
| --- a/drivers/scsi/qedi/qedi_iscsi.c |
| +++ b/drivers/scsi/qedi/qedi_iscsi.c |
| @@ -1224,6 +1224,10 @@ static int qedi_set_path(struct Scsi_Host *shost, struct iscsi_path *path_data) |
| } |
| |
| iscsi_cid = (u32)path_data->handle; |
| + if (iscsi_cid >= qedi->max_active_conns) { |
| + ret = -EINVAL; |
| + goto set_path_exit; |
| + } |
| qedi_ep = qedi->ep_tbl[iscsi_cid]; |
| QEDI_INFO(&qedi->dbg_ctx, QEDI_LOG_INFO, |
| "iscsi_cid=0x%x, qedi_ep=%p\n", iscsi_cid, qedi_ep); |
| -- |
| 2.25.1 |
| |