]>
Commit | Line | Data |
---|---|---|
12fbf0f8 GKH |
1 | From stable-bounces@linux.kernel.org Tue Oct 16 15:28:18 2007 |
2 | From: HighPoint Linux Team <linux@highpoint-tech.com> | |
3 | Date: Tue, 16 Oct 2007 14:28:24 -0700 | |
4 | Subject: hptiop: avoid buffer overflow when returning sense data | |
5 | To: James.Bottomley@steeleye.com | |
6 | Cc: akpm@linux-foundation.org, linux@highpoint-tech.com, stable@kernel.org, linux-scsi@vger.kernel.org | |
7 | Message-ID: <200710162128.l9GLSORo018187@imap1.linux-foundation.org> | |
8 | ||
9 | ||
10 | From: HighPoint Linux Team <linux@highpoint-tech.com> | |
11 | ||
12 | patch 0fec02c93f60fb44ba3a24a0d3e4a52521d34d3f in mainline. | |
13 | ||
14 | avoid buffer overflow when returning sense data. | |
15 | ||
16 | With current adapter firmware the driver is working but future firmware | |
17 | updates may return sense data larger than 96 bytes, causing overflow on | |
18 | scp->sense_buffer and a kernel crash. | |
19 | ||
20 | This fix should be backported to earlier kernels. | |
21 | ||
22 | Signed-off-by: HighPoint Linux Team <linux@highpoint-tech.com> | |
23 | Signed-off-by: James Bottomley <James.Bottomley@steeleye.com> | |
24 | Signed-off-by: Andrew Morton <akpm@linux-foundation.org> | |
02a6e516 | 25 | Acked-by: Matthew Wilcox <willy@linux.intel.com> |
12fbf0f8 GKH |
26 | Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
27 | ||
28 | --- | |
29 | drivers/scsi/hptiop.c | 5 +++-- | |
30 | 1 file changed, 3 insertions(+), 2 deletions(-) | |
31 | ||
32 | --- a/drivers/scsi/hptiop.c | |
33 | +++ b/drivers/scsi/hptiop.c | |
34 | @@ -377,8 +377,9 @@ static void hptiop_host_request_callback | |
35 | scp->result = SAM_STAT_CHECK_CONDITION; | |
36 | memset(&scp->sense_buffer, | |
37 | 0, sizeof(scp->sense_buffer)); | |
38 | - memcpy(&scp->sense_buffer, | |
39 | - &req->sg_list, le32_to_cpu(req->dataxfer_length)); | |
40 | + memcpy(&scp->sense_buffer, &req->sg_list, | |
41 | + min(sizeof(scp->sense_buffer), | |
42 | + le32_to_cpu(req->dataxfer_length))); | |
43 | break; | |
44 | ||
45 | default: |