Commit 19bc5f2a authored Jan 06, 2026 by Jiasheng Jiang Committed by Martin K. Petersen Jan 16, 2026

scsi: qla2xxx: Sanitize payload size to prevent member overflow

In qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the frame_size
reported by firmware is used to calculate the copy length into
item->iocb. However, the iocb member is defined as a fixed-size 64-byte
array within struct purex_item.

If the reported frame_size exceeds 64 bytes, subsequent memcpy calls will
overflow the iocb member boundary. While extra memory might be allocated,
this cross-member write is unsafe and triggers warnings under
CONFIG_FORTIFY_SOURCE.

Fix this by capping total_bytes to the size of the iocb member (64 bytes)
before allocation and copying. This ensures all copies remain within the
bounds of the destination structure member.

Fixes: 875386b9 ("scsi: qla2xxx: Add Unsolicited LS Request and Response Support for NVMe")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com>
Link: https://patch.msgid.link/20260106205344.18031-1-jiashengjiangcool@gmail.com

Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

parent 84dc6037

drivers/scsi/qla2xxx/qla_isr.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -878,6 +878,9 @@ qla27xx_copy_multiple_pkt(struct scsi_qla_host vha, void *pkt,
		payload_size = sizeof(purex->els_frame_payload);
		}

		if (total_bytes > sizeof(item->iocb.iocb))
		total_bytes = sizeof(item->iocb.iocb);

		pending_bytes = total_bytes;
		no_bytes = (pending_bytes > payload_size) ? payload_size :
		pending_bytes;
		@@ -1163,6 +1166,10 @@ qla27xx_copy_fpin_pkt(struct scsi_qla_host vha, void *pkt,

		total_bytes = (le16_to_cpu(purex->frame_size) & 0x0FFF)
		- PURX_ELS_HEADER_SIZE;

		if (total_bytes > sizeof(item->iocb.iocb))
		total_bytes = sizeof(item->iocb.iocb);

		pending_bytes = total_bytes;
		entry_count = entry_count_remaining = purex->entry_count;
		no_bytes = (pending_bytes > sizeof(purex->els_frame_payload)) ?