提交 d46bdeb1 编写于 作者: M Manish Rangankar 提交者: James Bottomley

[SCSI] qla4xxx: Fix memory corruption issue in qla4xxx_ep_connect.

In qla4xxx_ep_connect(), qla_ep->dst_addr and dst_addr are type
struct sockaddr. We are copying sizeof(struct sockaddr_in6) bytes
from dst_addr to qla_ep->dst_addr which is 12 bytes larger. This
will cause memory corruption. So we change qla_ep->dst_addr to
struct sockaddr_storage which is of 128 byte, large enough to
hold sizeof(struct sockaddr_in6).
Signed-off-by: NManish Rangankar <manish.rangankar@qlogic.com>
Signed-off-by: NVikas Chaudhary <vikas.chaudhary@qlogic.com>
Reviewed-by: NMike Christie <michaelc@cs.wisc.edu>
Signed-off-by: NJames Bottomley <JBottomley@Parallels.com>
上级 95ab0003
......@@ -752,7 +752,7 @@ struct ql4_task_data {
struct qla_endpoint {
struct Scsi_Host *host;
struct sockaddr dst_addr;
struct sockaddr_storage dst_addr;
};
struct qla_conn {
......
......@@ -1695,7 +1695,7 @@ int qla4xxx_set_param_ddbentry(struct scsi_qla_host *ha,
conn = cls_conn->dd_data;
qla_conn = conn->dd_data;
sess = conn->session;
dst_addr = &qla_conn->qla_ep->dst_addr;
dst_addr = (struct sockaddr *)&qla_conn->qla_ep->dst_addr;
if (dst_addr->sa_family == AF_INET6)
options |= IPV6_DEFAULT_DDB_ENTRY;
......
......@@ -1366,7 +1366,7 @@ static int qla4xxx_conn_get_param(struct iscsi_cls_conn *cls_conn,
conn = cls_conn->dd_data;
qla_conn = conn->dd_data;
dst_addr = &qla_conn->qla_ep->dst_addr;
dst_addr = (struct sockaddr *)&qla_conn->qla_ep->dst_addr;
switch (param) {
case ISCSI_PARAM_CONN_PORT:
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册