scsi: aacraid: Fix out of bounds in aac_get_name_resp
authorRaghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Fri, 4 Aug 2017 10:51:41 +0000 (03:51 -0700)
committerMartin K. Petersen <martin.petersen@oracle.com>
Thu, 17 Aug 2017 00:01:31 +0000 (20:01 -0400)
We terminate the aac_get_name_resp on a byte that is outside the bounds
of the structure. Extend the return response by one byte to remove the
out of bounds reference.

Fixes: b836439faf04 ("aacraid: 4KB sector support")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David Carroll <david.carroll@microsemi.com>
Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
drivers/scsi/aacraid/aachba.c
drivers/scsi/aacraid/aacraid.h

index 4591113c49de3af951908ed2257f6f5e88663b96..a1a2c71e162651f93d499c56e024e7073cc7fc79 100644 (file)
@@ -549,7 +549,9 @@ static void get_container_name_callback(void *context, struct fib * fibptr)
        if ((le32_to_cpu(get_name_reply->status) == CT_OK)
         && (get_name_reply->data[0] != '\0')) {
                char *sp = get_name_reply->data;
-               sp[sizeof(((struct aac_get_name_resp *)NULL)->data)] = '\0';
+               int data_size = FIELD_SIZEOF(struct aac_get_name_resp, data);
+
+               sp[data_size - 1] = '\0';
                while (*sp == ' ')
                        ++sp;
                if (*sp) {
@@ -579,12 +581,15 @@ static void get_container_name_callback(void *context, struct fib * fibptr)
 static int aac_get_container_name(struct scsi_cmnd * scsicmd)
 {
        int status;
+       int data_size;
        struct aac_get_name *dinfo;
        struct fib * cmd_fibcontext;
        struct aac_dev * dev;
 
        dev = (struct aac_dev *)scsicmd->device->host->hostdata;
 
+       data_size = FIELD_SIZEOF(struct aac_get_name_resp, data);
+
        cmd_fibcontext = aac_fib_alloc_tag(dev, scsicmd);
 
        aac_fib_init(cmd_fibcontext);
@@ -593,7 +598,7 @@ static int aac_get_container_name(struct scsi_cmnd * scsicmd)
        dinfo->command = cpu_to_le32(VM_ContainerConfig);
        dinfo->type = cpu_to_le32(CT_READ_NAME);
        dinfo->cid = cpu_to_le32(scmd_id(scsicmd));
-       dinfo->count = cpu_to_le32(sizeof(((struct aac_get_name_resp *)NULL)->data));
+       dinfo->count = cpu_to_le32(data_size - 1);
 
        status = aac_fib_send(ContainerCommand,
                  cmd_fibcontext,
index d31a9bc2ba69abdcf6cd6c6c8e6d99229ae50e4a..ee2667e20e4239f9129ebe21e7983a2428065b88 100644 (file)
@@ -2274,7 +2274,7 @@ struct aac_get_name_resp {
        __le32          parm3;
        __le32          parm4;
        __le32          parm5;
-       u8              data[16];
+       u8              data[17];
 };
 
 #define CT_CID_TO_32BITS_UID 165