target: Fix parameter list length checking in MODE SELECT

An empty parameter list (length == 0) is not an error, so succeed MODE
SELECT in this case.  If the parameter list length is too small,
return the correct sense code of PARAMETER LIST LENGTH ERROR.

Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>

diff --git a/drivers/target/target_core_spc.c b/drivers/target/target_core_spc.c
index 803339516fb9932a809c950296cb9b6525a25ec3..4cb667d720a74e18584199454ce0b7af548fe802 100644 (file)
--- a/drivers/target/target_core_spc.c
+++ b/drivers/target/target_core_spc.c
@@ -1000,6 +1000,14 @@ static sense_reason_t spc_emulate_modeselect(struct se_cmd *cmd)
        int ret = 0;
        int i;
 
+       if (!cmd->data_length) {
+               target_complete_cmd(cmd, GOOD);
+               return 0;
+       }
+
+       if (cmd->data_length < off + 2)
+               return TCM_PARAMETER_LIST_LENGTH_ERROR;
+
        buf = transport_kmap_data_sg(cmd);
        if (!buf)
                return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
@@ -1024,6 +1032,11 @@ static sense_reason_t spc_emulate_modeselect(struct se_cmd *cmd)
        goto out;
 
 check_contents:
+       if (cmd->data_length < off + length) {
+               ret = TCM_PARAMETER_LIST_LENGTH_ERROR;
+               goto out;
+       }
+
        if (memcmp(buf + off, tbuf, length))
                ret = TCM_INVALID_PARAMETER_LIST;