scsi: iscsi: Verify lengths on passthrough PDUs (f9dbdf97) · Commits · git / linux-net

drivers/scsi/scsi_transport_iscsi.c

+9 −0

Original line number	Diff line number	Diff line
		@@ -3624,6 +3624,7 @@ iscsi_if_recv_msg(struct sk_buff skb, struct nlmsghdr nlh, uint32_t *group)
		{
		int err = 0;
		u32 portid;
		u32 pdu_len;
		struct iscsi_uevent *ev = nlmsg_data(nlh);
		struct iscsi_transport *transport = NULL;
		struct iscsi_internal *priv;
		@@ -3766,6 +3767,14 @@ iscsi_if_recv_msg(struct sk_buff skb, struct nlmsghdr nlh, uint32_t *group)
		err = -EINVAL;
		break;
		case ISCSI_UEVENT_SEND_PDU:
		pdu_len = nlh->nlmsg_len - sizeof(nlh) - sizeof(ev);

		if ((ev->u.send_pdu.hdr_size > pdu_len) \|\|
		(ev->u.send_pdu.data_size > (pdu_len - ev->u.send_pdu.hdr_size))) {
		err = -EINVAL;
		break;
		}

		conn = iscsi_conn_lookup(ev->u.send_pdu.sid, ev->u.send_pdu.cid);
		if (conn) {
		mutex_lock(&conn_mutex);