提交 bbf344e5 编写于 作者: H Hannes Reinecke 提交者: Nicholas Bellinger

target_core_rd: break out unterminated loop during copy

The loop in rd_execute_rw() will never terminate if the
sg element has a zero size. Or it'll spill over into
outer space if the sg element is larger than the available
space.
So we need to add some safety catches here.

Cc: Nic Bellinger <nab@risingtidesystems.com>
Signed-off-by: NHannes Reinecke <hare@suse.de>
Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
上级 1b7f390e
...@@ -316,7 +316,19 @@ rd_execute_rw(struct se_cmd *cmd) ...@@ -316,7 +316,19 @@ rd_execute_rw(struct se_cmd *cmd)
void *rd_addr; void *rd_addr;
sg_miter_next(&m); sg_miter_next(&m);
if (!(u32)m.length) {
pr_debug("RD[%u]: invalid sgl %p len %zu\n",
dev->rd_dev_id, m.addr, m.length);
sg_miter_stop(&m);
return TCM_INCORRECT_AMOUNT_OF_DATA;
}
len = min((u32)m.length, src_len); len = min((u32)m.length, src_len);
if (len > rd_size) {
pr_debug("RD[%u]: size underrun page %d offset %d "
"size %d\n", dev->rd_dev_id,
rd_page, rd_offset, rd_size);
len = rd_size;
}
m.consumed = len; m.consumed = len;
rd_addr = sg_virt(rd_sg) + rd_offset; rd_addr = sg_virt(rd_sg) + rd_offset;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册