scsi: target: sbp: Potential integer overflow in sbp_make_tpg()
The variable tpgt in sbp_make_tpg() is defined as unsigned long and is
assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an
integer overflow when tpgt is greater than USHRT_MAX (65535). I haven't
tried to trigger it myself, but it is possible to trigger it by calling
sbp_make_tpg() with a large value for tpgt.
Modify the type of tpgt to match tpgt->tport_tpgt and adjusted the
relevant code accordingly.
This patch is similar to commit 59c816c1f2 ("vhost/scsi: potential
memory corruption").
Signed-off-by: ReBeating <rebeating@163.com>
Link: https://patch.msgid.link/20251226031936.852-1-rebeating@163.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
This commit is contained in:
parent
8334f93075
commit
8e8e8e7e84
1 changed files with 2 additions and 2 deletions
|
|
@ -1960,12 +1960,12 @@ static struct se_portal_group *sbp_make_tpg(struct se_wwn *wwn,
|
|||
container_of(wwn, struct sbp_tport, tport_wwn);
|
||||
|
||||
struct sbp_tpg *tpg;
|
||||
unsigned long tpgt;
|
||||
u16 tpgt;
|
||||
int ret;
|
||||
|
||||
if (strstr(name, "tpgt_") != name)
|
||||
return ERR_PTR(-EINVAL);
|
||||
if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX)
|
||||
if (kstrtou16(name + 5, 10, &tpgt))
|
||||
return ERR_PTR(-EINVAL);
|
||||
|
||||
if (tport->tpg) {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue