scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru_req()

The "sz" argument in mpt3sas_check_cmd_timeout() is the number of u32, not
the number of bytes.  We dump that many u32 values to dmesg.  Passing the
number of bytes will lead to a read overflow.  Divide by 4 to get the
correct value.

Fixes: c72be4b5bb7c ("scsi: mpt3sas: Add support for MCTP Passthrough commands")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/02b0d4ff-961c-49ae-921a-5cc469edf93c@stanley.mountain
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
index ff8fedf5f20eb1823a51af535a1f38f5d02e6793..063b10dd82514e2a4b35dab9e623942b7b01dd7c 100644 (file)
--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
@@ -3017,7 +3017,7 @@ int mpt3sas_send_mctp_passthru_req(struct mpt3_passthru_command *command)
        if (!(ioc->ctl_cmds.status & MPT3_CMD_COMPLETE)) {
                mpt3sas_check_cmd_timeout(ioc,
                    ioc->ctl_cmds.status, mpi_request,
-                   sizeof(Mpi26MctpPassthroughRequest_t), issue_reset);
+                   sizeof(Mpi26MctpPassthroughRequest_t) / 4, issue_reset);
                goto issue_host_reset;
        }