[SCSI] libosd: Fix NULL dereference BUG when target is not OSD conformant
authorBoaz Harrosh <bharrosh@panasas.com>
Sun, 8 Feb 2009 16:02:22 +0000 (18:02 +0200)
committerJames Bottomley <James.Bottomley@HansenPartnership.com>
Thu, 12 Mar 2009 17:58:13 +0000 (12:58 -0500)
Very old OSC's Target had a BUG in the Get/Set attributes where
it was looking in the wrong places for attribute lists length.
If used with the open-osd initiator, the initiator would dereference
a NULL pointer when retrieving system_information attributes.

Checks are added that retrieval of each attribute is successful
before accessing its value.

Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
drivers/scsi/osd/osd_initiator.c

index 0bbbf271fbb06c1069ec575efde2181f3c5496a1..552f58b655d155bcde07a8911f4e81123a47ce4d 100644 (file)
@@ -131,7 +131,7 @@ static int _osd_print_system_info(struct osd_dev *od, void *caps)
 
        pFirst = get_attrs[a++].val_ptr;
        OSD_INFO("OSD_ATTR_RI_PRODUCT_REVISION_LEVEL [%u]\n",
-               get_unaligned_be32(pFirst));
+               pFirst ? get_unaligned_be32(pFirst) : ~0U);
 
        pFirst = get_attrs[a++].val_ptr;
        OSD_INFO("OSD_ATTR_RI_PRODUCT_SERIAL_NUMBER [%s]\n",
@@ -143,15 +143,18 @@ static int _osd_print_system_info(struct osd_dev *od, void *caps)
 
        pFirst = get_attrs[a++].val_ptr;
        OSD_INFO("OSD_ATTR_RI_TOTAL_CAPACITY [0x%llx]\n",
-               _LLU(get_unaligned_be64(pFirst)));
+               pFirst ? _LLU(get_unaligned_be64(pFirst)) : ~0ULL);
 
        pFirst = get_attrs[a++].val_ptr;
        OSD_INFO("OSD_ATTR_RI_USED_CAPACITY [0x%llx]\n",
-               _LLU(get_unaligned_be64(pFirst)));
+               pFirst ? _LLU(get_unaligned_be64(pFirst)) : ~0ULL);
 
        pFirst = get_attrs[a++].val_ptr;
        OSD_INFO("OSD_ATTR_RI_NUMBER_OF_PARTITIONS [%llu]\n",
-               _LLU(get_unaligned_be64(pFirst)));
+               pFirst ? _LLU(get_unaligned_be64(pFirst)) : ~0ULL);
+
+       if (a >= nelem)
+               goto out;
 
        /* FIXME: Where are the time utilities */
        pFirst = get_attrs[a++].val_ptr;