[lvc-project] [PATCH] target: Fix an overwriting of the error status code
Markov Gleb
markov.gi at npc-ksb.ru
Mon Jun 29 16:09:30 MSK 2026
From: Gleb Markov <markov.gi at npc-ksb.ru>
If the maximum field length is exceeded, the error status code written to
ret will be overwritten without verification, and data with an incorrect
field length will be passed to core_scsi3_alloc_aptpl_registration(),
where it will be truncated by snprintf() to the maximum allowed length,
without "\0", resulting in the use of truncated data.
If pr_reg->pr_reg_isid, pr_reg->pr_iport or pr_reg->pr_tport are passed to
functions such as strlen(), strcmp(), which expect a "\0" at the end, it
will result in a memory access outside the buffer.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: c66ac9db8d4a ("[SCSI] target: Add LIO target core v4.0.0-rc6")
Signed-off-by: Gleb Markov <markov.gi at npc-ksb.ru>
---
drivers/target/target_core_configfs.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c
index d93773b3227c..3385d542de62 100644
--- a/drivers/target/target_core_configfs.c
+++ b/drivers/target/target_core_configfs.c
@@ -2194,7 +2194,7 @@ static ssize_t target_pr_res_aptpl_metadata_store(struct config_item *item,
" exceeds PR_APTPL_MAX_IPORT_LEN: %d\n",
PR_APTPL_MAX_IPORT_LEN);
ret = -EINVAL;
- break;
+ goto out;
}
break;
case Opt_initiator_sid:
@@ -2208,7 +2208,7 @@ static ssize_t target_pr_res_aptpl_metadata_store(struct config_item *item,
"= exceeds PR_REG_ISID_LEN: %d\n",
PR_REG_ISID_LEN);
ret = -EINVAL;
- break;
+ goto out;
}
break;
case Opt_sa_res_key:
@@ -2272,7 +2272,7 @@ static ssize_t target_pr_res_aptpl_metadata_store(struct config_item *item,
" exceeds PR_APTPL_MAX_TPORT_LEN: %d\n",
PR_APTPL_MAX_TPORT_LEN);
ret = -EINVAL;
- break;
+ goto out;
}
break;
case Opt_tpgt:
--
2.43.0
More information about the lvc-project
mailing list