iscsi-target: fix extract_param to handle buffer length corner case

extract_param() is called with max_length set to the total size of the output buffer. It's not safe to allow a parameter length equal to the buffer size as the terminating null would be written one byte past the end of the output buffer. Signed-off-by: N Eric Seppanen <eric@purestorage.com> Cc: <stable@vger.kernel.org> #3.1+ Signed-off-by: N Nicholas Bellinger <nab@linux-iscsi.org>

iscsi-target: fix extract_param to handle buffer length corner case
extract_param() is called with max_length set to the total size of the output buffer. It's not safe to allow a parameter length equal to the buffer size as the terminating null would be written one byte past the end of the output buffer. Signed-off-by: N Eric Seppanen <eric@purestorage.com> Cc: <stable@vger.kernel.org> #3.1+ Signed-off-by: N Nicholas Bellinger <nab@linux-iscsi.org>
369653e4 · Eric Seppanen · Nicholas Bellinger · d1fa7a1d · 369653e4
显示空白变更内容
内联并排

Showing with 1 addition and 1 deletion

drivers/target/iscsi/iscsi_target_nego.c drivers/target/iscsi/iscsi_target_nego.c +1 -1

未找到文件。
--- a/drivers/target/iscsi/iscsi_target_nego.c
+++ b/drivers/target/iscsi/iscsi_target_nego.c
@@ -88,7 +88,7 @@ int extract_param(
 	if (len < 0)
 		return -1;
-	if (len > max_length) {
+	if (len >= max_length) {
 		pr_err("Length of input: %d exceeds max_length:"
 			" %d\n", len, max_length);
 		return -1;