target: bounds check XCOPY total descriptor list length

spc4r37 6.4.3.5 states: If the combined length of the CSCD descriptors and segment descriptors exceeds the allowed value, then the copy manager shall terminate the command with CHECK CONDITION status, with the sense key set to ILLEGAL REQUEST, and the additional sense code set to PARAMETER LIST LENGTH ERROR. This functionality can be tested using the libiscsi ExtendedCopy.DescrLimits test. Signed-off-by: N David Disseldorp <ddiss@suse.de> Reviewed-by: N Christoph Hellwig <hch@lst.de> Signed-off-by: N Bart Van Assche <bart.vanassche@sandisk.com>

target: bounds check XCOPY total descriptor list length
spc4r37 6.4.3.5 states: If the combined length of the CSCD descriptors and segment descriptors exceeds the allowed value, then the copy manager shall terminate the command with CHECK CONDITION status, with the sense key set to ILLEGAL REQUEST, and the additional sense code set to PARAMETER LIST LENGTH ERROR. This functionality can be tested using the libiscsi ExtendedCopy.DescrLimits test. Signed-off-by: N David Disseldorp <ddiss@suse.de> Reviewed-by: N Christoph Hellwig <hch@lst.de> Signed-off-by: N Bart Van Assche <bart.vanassche@sandisk.com>
7d387066 · David Disseldorp · Bart Van Assche · af9f62c1 · 7d387066
显示空白变更内容
内联并排

Showing with 6 addition and 0 deletion

drivers/target/target_core_xcopy.c drivers/target/target_core_xcopy.c +6 -0

未找到文件。
--- a/drivers/target/target_core_xcopy.c
+++ b/drivers/target/target_core_xcopy.c
@@ -894,6 +894,12 @@ sense_reason_t target_do_xcopy(struct se_cmd *se_cmd)
 	 */
 	tdll = get_unaligned_be16(&p[2]);
 	sdll = get_unaligned_be32(&p[8]);
+	if (tdll + sdll > RCR_OP_MAX_DESC_LIST_LEN) {
+		pr_err("XCOPY descriptor list length %u exceeds maximum %u\n",
+		       tdll + sdll, RCR_OP_MAX_DESC_LIST_LEN);
+		ret = TCM_PARAMETER_LIST_LENGTH_ERROR;
+		goto out;
+	}
 	inline_dl = get_unaligned_be32(&p[12]);
 	if (inline_dl != 0) {