target: report too-small parameter lists everywhere Several places were not checking that the parameter list length was large enough, and thus accessing invalid memory. Zero-length parameter lists are just a special case of this. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>

commit: 0d7f1299ca5540b9a63ab6e8bf0e89ea963eb6af [log] [tgz]
author: Paolo Bonzini <pbonzini@redhat.com> Fri Sep 07 17:30:33 2012 +0200
committer: Nicholas Bellinger <nab@linux-iscsi.org> Fri Sep 07 11:09:08 2012 -0700
tree: 25bba610d95a2d7256830eb41032e5b1e2853fd4
parent: 306c11b28d7bb85a7adda741798a2b6b60dd305a [diff] [blame]
diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c
index 1e94650..956c84c 100644
--- a/drivers/target/target_core_pr.c
+++ b/drivers/target/target_core_pr.c

@@ -1540,6 +1540,14 @@
 	tidh_new->dest_local_nexus = 1;
 	list_add_tail(&tidh_new->dest_list, &tid_dest_list);
 
+	if (cmd->data_length < 28) {
+		pr_warn("SPC-PR: Received PR OUT parameter list"
+			" length too small: %u\n", cmd->data_length);
+		cmd->scsi_sense_reason = TCM_INVALID_PARAMETER_LIST;
+		ret = -EINVAL;
+		goto out;
+	}
+
 	buf = transport_kmap_data_sg(cmd);
 	/*
 	 * For a PERSISTENT RESERVE OUT specify initiator ports payload,
commit	0d7f1299ca5540b9a63ab6e8bf0e89ea963eb6af	[log] [tgz]
author	Paolo Bonzini <pbonzini@redhat.com>	Fri Sep 07 17:30:33 2012 +0200
committer	Nicholas Bellinger <nab@linux-iscsi.org>	Fri Sep 07 11:09:08 2012 -0700
tree	25bba610d95a2d7256830eb41032e5b1e2853fd4
parent	306c11b28d7bb85a7adda741798a2b6b60dd305a [diff] [blame]