- Fixed a buffer overrun: a service entry name occupying 35 bytes was
authorbvassche <bvassche@d57e44dd-8a1f-0410-8b47-8ef2f437770f>
Thu, 30 Jul 2009 12:48:06 +0000 (12:48 +0000)
committerbvassche <bvassche@d57e44dd-8a1f-0410-8b47-8ef2f437770f>
Thu, 30 Jul 2009 12:48:06 +0000 (12:48 +0000)
  written into a buffer with a size of 32 bytes. Enlarged the buffer
  to 36 bytes.
- Converted sprintf() calls to snprintf() calls.
- Added more TRACE_ENTRY() / TRACE_EXIT() statements.

git-svn-id: https://scst.svn.sourceforge.net/svnroot/scst/trunk@992 d57e44dd-8a1f-0410-8b47-8ef2f437770f

srpt/src/ib_srpt.c
srpt/src/ib_srpt.h

index 41daa8b..0b51eef 100644 (file)
@@ -335,8 +335,11 @@ static void srpt_get_svc_entries(u16 slot, u8 hi, u8 lo, struct ib_dm_mad *mad)
        svc_entries = (struct ib_dm_svc_entries *)mad->data;
        memset(svc_entries, 0, sizeof *svc_entries);
        svc_entries->service_entries[0].id = cpu_to_be64(mellanox_ioc_guid);
-       sprintf(svc_entries->service_entries[0].name, "%s%016llx",
-               SRP_SERVICE_NAME_PREFIX, (unsigned long long)mellanox_ioc_guid);
+       snprintf(svc_entries->service_entries[0].name,
+                sizeof(svc_entries->service_entries[0].name),
+                "%s%016llx",
+                SRP_SERVICE_NAME_PREFIX,
+                (unsigned long long)mellanox_ioc_guid);
 
        mad->mad_hdr.status = 0;
 }
@@ -1346,6 +1349,8 @@ static struct srpt_rdma_ch *srpt_find_channel(struct ib_cm_id *cm_id)
 
 static int srpt_release_channel(struct srpt_rdma_ch *ch, int destroy_cmid)
 {
+       TRACE_ENTRY();
+
        spin_lock_irq(&ch->sport->sdev->spinlock);
        list_del(&ch->list);
        spin_unlock_irq(&ch->sport->sdev->spinlock);
@@ -1380,6 +1385,8 @@ static int srpt_release_channel(struct srpt_rdma_ch *ch, int destroy_cmid)
 
        kfree(ch);
 
+       TRACE_EXIT_RES(!destroy_cmid);
+
        return destroy_cmid ? 0 : 1;
 }
 
@@ -1529,9 +1536,12 @@ static int srpt_cm_req_recv(struct ib_cm_id *cm_id,
                goto destroy_ib;
        }
 
-       sprintf(ch->sess_name, "0x%016llx%016llx",
-               (unsigned long long)be64_to_cpu(*(u64 *)ch->i_port_id),
-               (unsigned long long)be64_to_cpu(*(u64 *)(ch->i_port_id + 8)));
+       snprintf(ch->sess_name, sizeof(ch->sess_name),
+                "0x%016llx%016llx",
+                (unsigned long long)be64_to_cpu(*(u64 *)ch->i_port_id),
+                (unsigned long long)be64_to_cpu(*(u64 *)(ch->i_port_id + 8)));
+
+       TRACE_DBG("registering session %s", ch->sess_name);
 
        BUG_ON(!sdev->scst_tgt);
        ch->scst_sess = scst_register_session(sdev->scst_tgt, 0, ch->sess_name,
index 6a135e8..9bd08ac 100644 (file)
@@ -155,7 +155,7 @@ struct srpt_rdma_ch {
        u32 active_scmnd_cnt;
 
        struct scst_session *scst_sess;
-       u8 sess_name[32];
+       u8 sess_name[36];
 };
 
 struct srpt_port {