[05/10] target: bounds check XCOPY total descriptor list length

Submitted by Andrei Vagin on April 2, 2018, 11:30 p.m.


Message ID 1522711828-24308-6-git-send-email-avagin@openvz.org
State New
Series "target: backport bug fixes for XCOPY"
Headers show

Commit Message

Andrei Vagin April 2, 2018, 11:30 p.m.
From: David Disseldorp <ddiss@suse.de>

ML: 7d38706669ce00603b187f667a4eb67c94eac098

spc4r37 states:
  If the combined length of the CSCD descriptors and segment descriptors
  exceeds the allowed value, then the copy manager shall terminate the
  command with CHECK CONDITION status, with the sense key set to ILLEGAL
  REQUEST, and the additional sense code set to PARAMETER LIST LENGTH

This functionality can be tested using the libiscsi
ExtendedCopy.DescrLimits test.

Signed-off-by: David Disseldorp <ddiss@suse.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Andrei Vagin <avagin@openvz.org>
 drivers/target/target_core_xcopy.c | 6 ++++++
 1 file changed, 6 insertions(+)

Patch hide | download patch | download mbox

diff --git a/drivers/target/target_core_xcopy.c b/drivers/target/target_core_xcopy.c
index d8d53c4..f2ea6cc 100644
--- a/drivers/target/target_core_xcopy.c
+++ b/drivers/target/target_core_xcopy.c
@@ -940,6 +940,12 @@  sense_reason_t target_do_xcopy(struct se_cmd *se_cmd)
 	tdll = get_unaligned_be16(&p[2]);
 	sdll = get_unaligned_be32(&p[8]);
+	if (tdll + sdll > RCR_OP_MAX_DESC_LIST_LEN) {
+		pr_err("XCOPY descriptor list length %u exceeds maximum %u\n",
+		       tdll + sdll, RCR_OP_MAX_DESC_LIST_LEN);
+		goto out;
+	}
 	inline_dl = get_unaligned_be32(&p[12]);
 	if (inline_dl != 0) {