* [PATCH] libmpathpersist: fix off-by-one error in PRIN length check
@ 2018-11-26 16:29 Martin Wilck
0 siblings, 0 replies; only message in thread
From: Martin Wilck @ 2018-11-26 16:29 UTC (permalink / raw)
To: Christophe Varoqui; +Cc: dm-devel, Martin Wilck
The length check added by bf25392f4e98 was off by one, so
that a warning was printed even for correct responses
for PERSISTENT_RESERVE_IN READ_FULL_STATUS service actions.
Non-fatal, but should be fixed nonetheless.
Fixes: bf25392f4e98 "libmpathpersist: fix stack overflow in
mpath_format_readfullstatus()"
Signed-off-by: Martin Wilck <mwilck@suse.com>
---
libmpathpersist/mpath_pr_ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libmpathpersist/mpath_pr_ioctl.c b/libmpathpersist/mpath_pr_ioctl.c
index a222b1e1..c4f4ccda 100644
--- a/libmpathpersist/mpath_pr_ioctl.c
+++ b/libmpathpersist/mpath_pr_ioctl.c
@@ -241,7 +241,7 @@ void mpath_format_readfullstatus(struct prin_resp *pr_buff, int len, int noisy)
fdesc.rtpi = get_unaligned_be16(&p[18]);
tid_len_len = get_unaligned_be32(&p[20]);
- if (tid_len_len + 24 + k >= additional_length) {
+ if (tid_len_len + 24 + k > additional_length) {
condlog(0,
"%s: corrupt PRIN response: status descriptor end %d exceeds length %d",
__func__, tid_len_len + k + 24,
--
2.19.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2018-11-26 16:29 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-26 16:29 [PATCH] libmpathpersist: fix off-by-one error in PRIN length check Martin Wilck
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.