diff options
| author | Roland Dreier <roland@purestorage.com> | 2012-07-16 15:34:24 -0700 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2012-08-15 08:10:32 -0700 |
| commit | c329e96ae86fb69c30287a434426f2083fb2430b (patch) | |
| tree | 11fc728c818baa573f3a15ee5e0bfa8df64b74c2 /lib/debugobjects.c | |
| parent | 6fb6469c601a80a0c883ec0be189ecf1677ecf56 (diff) | |
target: Fix possible integer underflow in UNMAP emulation
commit b7fc7f3777582dea85156a821d78a522a0c083aa upstream.
It's possible for an initiator to send us an UNMAP command with a
descriptor that is less than 8 bytes; in that case it's really bad for
us to set an unsigned int to that value, subtract 8 from it, and then
use that as a limit for our loop (since the value will wrap around to
a huge positive value).
Fix this by making size be signed and only looping if size >= 16 (ie
if we have at least a full descriptor available).
Also remove offset as an obfuscated name for the constant 8.
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'lib/debugobjects.c')
0 files changed, 0 insertions, 0 deletions