[stgt] [PATCH] smc: fix memory overwite bug in smc_read_element_status

FUJITA Tomonori fujita.tomonori at lab.ntt.co.jp
Tue Dec 1 18:22:12 CET 2009


Signed-off-by: FUJITA Tomonori <fujita.tomonori at lab.ntt.co.jp>
---
 usr/smc.c |   14 +++++++++++++-
 1 files changed, 13 insertions(+), 1 deletions(-)

diff --git a/usr/smc.c b/usr/smc.c
index 6430882..c0f25d6 100644
--- a/usr/smc.c
+++ b/usr/smc.c
@@ -259,6 +259,17 @@ static int smc_initialize_element_status(int host_no, struct scsi_cmd *cmd)
 		return SAM_STAT_GOOD;
 }
 
+static int nr_slots(struct smc_info *smc)
+{
+	int count = 0;
+	struct slot *s;
+
+	list_for_each_entry(s, &smc->slots, slot_siblings)
+		count++;
+
+	return count;
+}
+
 /**
  * smc_read_element_status  -  READ ELEMENT STATUS op code
  *
@@ -304,7 +315,8 @@ static int smc_read_element_status(int host_no, struct scsi_cmd *cmd)
 		}
 	}
 
-	data = zalloc(alloc_len);
+	/* we allocate possible maximum data length */
+	data = zalloc(8 + elementSize * nr_slots(smc));
 	if (!data) {
 		dprintf("Can't allocate enough memory for cmd\n");
 		key = HARDWARE_ERROR;
-- 
1.5.6.5

--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the stgt mailing list