diff options
| author | ReBeating <rebeating@163.com> | 2025-12-26 11:19:36 +0800 |
|---|---|---|
| committer | Martin K. Petersen <martin.petersen@oracle.com> | 2026-01-04 15:44:17 -0500 |
| commit | 8e8e8e7e8406e96a0189e116eb04f67f776f947f (patch) | |
| tree | 1eb26d6637b57e330218f47fef0f79a5c8c99bcf | |
| parent | 8334f93075dce0a4536c096a7d471ef90506a7a4 (diff) | |
scsi: target: sbp: Potential integer overflow in sbp_make_tpg()
The variable tpgt in sbp_make_tpg() is defined as unsigned long and is
assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an
integer overflow when tpgt is greater than USHRT_MAX (65535). I haven't
tried to trigger it myself, but it is possible to trigger it by calling
sbp_make_tpg() with a large value for tpgt.
Modify the type of tpgt to match tpgt->tport_tpgt and adjusted the
relevant code accordingly.
This patch is similar to commit 59c816c1f24d ("vhost/scsi: potential
memory corruption").
Signed-off-by: ReBeating <rebeating@163.com>
Link: https://patch.msgid.link/20251226031936.852-1-rebeating@163.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
| -rw-r--r-- | drivers/target/sbp/sbp_target.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/target/sbp/sbp_target.c b/drivers/target/sbp/sbp_target.c index 9f167ff8da7b..09120a538a40 100644 --- a/drivers/target/sbp/sbp_target.c +++ b/drivers/target/sbp/sbp_target.c @@ -1960,12 +1960,12 @@ static struct se_portal_group *sbp_make_tpg(struct se_wwn *wwn, container_of(wwn, struct sbp_tport, tport_wwn); struct sbp_tpg *tpg; - unsigned long tpgt; + u16 tpgt; int ret; if (strstr(name, "tpgt_") != name) return ERR_PTR(-EINVAL); - if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX) + if (kstrtou16(name + 5, 10, &tpgt)) return ERR_PTR(-EINVAL); if (tport->tpg) { |