target: Fix off-by-seven in target_report_luns
authorJörn Engel <joern@logfs.org>
Thu, 16 Feb 2012 16:14:27 +0000 (11:14 -0500)
committerNicholas Bellinger <nab@linux-iscsi.org>
Sat, 25 Feb 2012 22:37:50 +0000 (14:37 -0800)
cdb_offset is always equal to offset - 8, so remove that one.  More
importantly, the existing code only worked correct if
se_cmd->data_length is a multiple of 8.  Pass in a length of, say, 9 and
we will happily overwrite 7 bytes of "unallocated" memory.

Now, afaics this bug is currently harmless, as allocations will
implicitly be padded to multiples of 8 bytes.  But depending on such a
fact wouldn't qualify as sound engineering practice.

Signed-off-by: Joern Engel <joern@logfs.org>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
drivers/target/target_core_device.c

index 36fa75da085c5572c62aa3c15fce74f63460c692..5cfaa4b6da420c49f2f36a6640a255edafbbe76c 100644 (file)
@@ -650,7 +650,7 @@ int target_report_luns(struct se_task *se_task)
        struct se_lun *se_lun;
        struct se_session *se_sess = se_cmd->se_sess;
        unsigned char *buf;
-       u32 cdb_offset = 0, lun_count = 0, offset = 8, i;
+       u32 lun_count = 0, offset = 8, i;
 
        buf = transport_kmap_data_sg(se_cmd);
        if (!buf)
@@ -679,12 +679,11 @@ int target_report_luns(struct se_task *se_task)
                 * See SPC2-R20 7.19.
                 */
                lun_count++;
-               if ((cdb_offset + 8) >= se_cmd->data_length)
+               if ((offset + 8) > se_cmd->data_length)
                        continue;
 
                int_to_scsilun(deve->mapped_lun, (struct scsi_lun *)&buf[offset]);
                offset += 8;
-               cdb_offset += 8;
        }
        spin_unlock_irq(&se_sess->se_node_acl->device_list_lock);