[SCSI] ibmvfc: Sanitize response lengths

[linux-2.6] / drivers / scsi / ibmvscsi / ibmvfc.c

diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c
index 58f8c9e39ae8824b728557f5a5a262eb0c364dc4..6ecc0ddd4440e88a1ed5c207bf8e2c60f73b76a4 100644 (file)
--- a/drivers/scsi/ibmvscsi/ibmvfc.c
+++ b/drivers/scsi/ibmvscsi/ibmvfc.c
@@ -1457,8 +1457,8 @@ static void ibmvfc_scsi_done(struct ibmvfc_event *evt)
        struct ibmvfc_cmd *vfc_cmd = &evt->xfer_iu->cmd;
        struct ibmvfc_fcp_rsp *rsp = &vfc_cmd->rsp;
        struct scsi_cmnd *cmnd = evt->cmnd;
-       int rsp_len = 0;
-       int sense_len = rsp->fcp_sense_len;
+       u32 rsp_len = 0;
+       u32 sense_len = rsp->fcp_sense_len;
 
        if (cmnd) {
                if (vfc_cmd->response_flags & IBMVFC_ADAPTER_RESID_VALID)
@@ -1475,7 +1475,7 @@ static void ibmvfc_scsi_done(struct ibmvfc_event *evt)
                                rsp_len = rsp->fcp_rsp_len;
                        if ((sense_len + rsp_len) > SCSI_SENSE_BUFFERSIZE)
                                sense_len = SCSI_SENSE_BUFFERSIZE - rsp_len;
-                       if ((rsp->flags & FCP_SNS_LEN_VALID) && rsp->fcp_sense_len)
+                       if ((rsp->flags & FCP_SNS_LEN_VALID) && rsp->fcp_sense_len && rsp_len <= 8)
                                memcpy(cmnd->sense_buffer, rsp->data.sense + rsp_len, sense_len);
 
                        ibmvfc_log_error(evt);