[stgt] [PATCH 3/4] fix length checks in check_pr_out_basic_parameter()

[nezhinsky at gmail.com]

From: Alexander Nezhinsky <nezhinsky at gmail.com>

SPC-3, Table 170, "PERSISTENT RESERVE OUT command" defines PARAMETER LIST LENGTH
as spanning from byte 5 (MSB) to byte 8 (LSB). Need to extract BE 32bit value
starting at 5th byte, and not 16bit value starting at 7 byte.

SPC-3, 6.14.1 states:
"the PARAMETER LIST LENGTH field shall contain 24 (18h), if the
 following conditions are true:
 a) The SPEC_I_PT bit (see 6.14.3) is set to zero; and
 b) The service action is not REGISTER AND MOVE."
As check_pr_out_basic_parameter() covers exactly the above case, we should
stipulate parameter list length to be exactly 24 bytes and data transfer length
to be at least 24 bytes.

Signed-off-by: Alexander Nezhinsky <nezhinsky at gmail.com>
---
 usr/spc.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/usr/spc.c b/usr/spc.c
index cbe369a..0decaf3 100644
--- a/usr/spc.c
+++ b/usr/spc.c
@@ -1060,14 +1060,15 @@ static void __unregister(struct scsi_lu *lu, struct registration *reg)
 
 static int check_pr_out_basic_parameter(struct scsi_cmd *cmd)
 {
-	uint8_t spec_i_pt, all_tg_pt, aptpl;
+	uint32_t param_list_len;
 	uint8_t *buf;
-	uint16_t len = 24;
+	uint8_t spec_i_pt, all_tg_pt, aptpl;
 
-	if (get_unaligned_be16(cmd->scb + 7) < len)
+	param_list_len = get_unaligned_be32(&cmd->scb[5]);
+	if (param_list_len != 24)
 		return 1;
 
-	if (scsi_get_out_length(cmd) < len)
+	if (scsi_get_out_length(cmd) < 24)
 		return 1;
 
 	buf = scsi_get_out_buffer(cmd);
-- 
1.7.9.6

--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html