redonkable/remarkable-linux
redonkable/remarkable-linux
1
0
Fork 0
Code Releases Activity

[SCSI] qla4xxx: overflow in qla4xxx_set_chap_entry()

Browse source 
We should cap the size of memcpy() because it comes from the network
and can't be trusted.

Fixes: 26ffd7b45f ('[SCSI] qla4xxx: Add support to set CHAP entries')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Vikas Chaudhary <vikas.chaudhary@qlogic.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
This commit is contained in:
Dan Carpenter 2013-11-13 10:48:11 +03:00 committed by James Bottomley
parent 88397c279d
commit 3c60cfd739
1 changed files with 7 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
drivers/scsi/qla4xxx/ql4_os.c
View file

@ -861,6 +861,7 @@ static int qla4xxx_set_chap_entry(struct Scsi_Host *shost, void *data, int len)
int type;
int rem = len;
int rc = 0;
int size;
memset(&chap_rec, 0, sizeof(chap_rec));
@ -875,12 +876,14 @@ static int qla4xxx_set_chap_entry(struct Scsi_Host *shost, void *data, int len)
chap_rec.chap_type = param_info->value[0];
break;
case ISCSI_CHAP_PARAM_USERNAME:
memcpy(chap_rec.username, param_info->value,
param_info->len);
size = min_t(size_t, sizeof(chap_rec.username),
param_info->len);
memcpy(chap_rec.username, param_info->value, size);
break;
case ISCSI_CHAP_PARAM_PASSWORD:
memcpy(chap_rec.password, param_info->value,
param_info->len);
size = min_t(size_t, sizeof(chap_rec.password),
param_info->len);
memcpy(chap_rec.password, param_info->value, size);
break;
case ISCSI_CHAP_PARAM_PASSWORD_LEN:
chap_rec.password_length = param_info->value[0];