From: Hannes Reinecke Date: Wed, 6 Feb 2013 13:42:28 +0000 (+0100) Subject: target_core_rd: break out unterminated loop during copy X-Git-Tag: firefly_0821_release~3680^2~973^2~14 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=bbf344e54ed9a76e344d08feedc70ab2c5a8a64c;p=firefly-linux-kernel-4.4.55.git target_core_rd: break out unterminated loop during copy The loop in rd_execute_rw() will never terminate if the sg element has a zero size. Or it'll spill over into outer space if the sg element is larger than the available space. So we need to add some safety catches here. Cc: Nic Bellinger Signed-off-by: Hannes Reinecke Signed-off-by: Nicholas Bellinger --- diff --git a/drivers/target/target_core_rd.c b/drivers/target/target_core_rd.c index b0fff52c990e..e0b3c379aa14 100644 --- a/drivers/target/target_core_rd.c +++ b/drivers/target/target_core_rd.c @@ -316,7 +316,19 @@ rd_execute_rw(struct se_cmd *cmd) void *rd_addr; sg_miter_next(&m); + if (!(u32)m.length) { + pr_debug("RD[%u]: invalid sgl %p len %zu\n", + dev->rd_dev_id, m.addr, m.length); + sg_miter_stop(&m); + return TCM_INCORRECT_AMOUNT_OF_DATA; + } len = min((u32)m.length, src_len); + if (len > rd_size) { + pr_debug("RD[%u]: size underrun page %d offset %d " + "size %d\n", dev->rd_dev_id, + rd_page, rd_offset, rd_size); + len = rd_size; + } m.consumed = len; rd_addr = sg_virt(rd_sg) + rd_offset;