diff options
| author | Eric Seppanen <eric@purestorage.com> | 2013-11-20 14:19:51 -0800 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2014-01-03 04:33:23 +0000 |
| commit | 6d8fcca06072afed5d917c980ac233abd4f03e0b (patch) | |
| tree | 9edbfbe0291ee9b74ebafe06005ef57038ccf98b | |
| parent | 3bf4e8c8072d395099cde6f6f84b69ea015b70d8 (diff) | |
| download | lwn-6d8fcca06072afed5d917c980ac233abd4f03e0b.tar.gz lwn-6d8fcca06072afed5d917c980ac233abd4f03e0b.zip | |
iscsi-target: fix extract_param to handle buffer length corner case
commit 369653e4fb511928511b0ce81f41c812ff1f28b6 upstream.
extract_param() is called with max_length set to the total size of the
output buffer. It's not safe to allow a parameter length equal to the
buffer size as the terminating null would be written one byte past the
end of the output buffer.
Signed-off-by: Eric Seppanen <eric@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
| -rw-r--r-- | drivers/target/iscsi/iscsi_target_nego.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c index 7d85f8890162..3486d129eb9c 100644 --- a/drivers/target/iscsi/iscsi_target_nego.c +++ b/drivers/target/iscsi/iscsi_target_nego.c @@ -89,7 +89,7 @@ int extract_param( if (len < 0) return -1; - if (len > max_length) { + if (len >= max_length) { pr_err("Length of input: %d exeeds max_length:" " %d\n", len, max_length); return -1; |