path: root/drivers/target
diff options
authorEric Seppanen <eric@purestorage.com>2013-11-20 14:19:51 -0800
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-12-04 10:56:15 -0800
commite97f132f0e66893138f64b681cddff2d2ff37b53 (patch)
treeaad150522af32dc3c9de4bfa81ffd6f807e11ade /drivers/target
parentcf516effc76c78f948e6eb7cc46d4515003b423d (diff)
iscsi-target: fix extract_param to handle buffer length corner case
commit 369653e4fb511928511b0ce81f41c812ff1f28b6 upstream. extract_param() is called with max_length set to the total size of the output buffer. It's not safe to allow a parameter length equal to the buffer size as the terminating null would be written one byte past the end of the output buffer. Signed-off-by: Eric Seppanen <eric@purestorage.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/target')
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c
index cd5018ff9cd7..72d9dec991c0 100644
--- a/drivers/target/iscsi/iscsi_target_nego.c
+++ b/drivers/target/iscsi/iscsi_target_nego.c
@@ -90,7 +90,7 @@ int extract_param(
if (len < 0)
return -1;
- if (len > max_length) {
+ if (len >= max_length) {
pr_err("Length of input: %d exceeds max_length:"
" %d\n", len, max_length);
return -1;