diff options
author | Hannes Reinecke <hare@suse.de> | 2010-03-09 12:18:48 +0300 |
---|---|---|
committer | James Bottomley <James.Bottomley@suse.de> | 2010-04-11 18:23:27 +0400 |
commit | 36dd288f0f930c154ec6a4d73a6a35f3079418c6 (patch) | |
tree | 63fb1e1ec6716561051a2da94479904ffaeac016 /drivers/scsi/scsi_transport_fc.c | |
parent | bb789d01620e5d36081b22edb6fb71cf55ff043c (diff) | |
download | linux-36dd288f0f930c154ec6a4d73a6a35f3079418c6.tar.xz |
[SCSI] scsi_transport_fc: Protect against overflow in dev_loss_tmo
The rport structure defines dev_loss_tmo as u32, which is
later multiplied with HZ to get the actual timeout value.
This might overflow for large dev_loss_tmo values. So we
should be better using u64 as intermediate variables here
to protect against overflow.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Acked-by: James Smart <james.smart@emulex.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Diffstat (limited to 'drivers/scsi/scsi_transport_fc.c')
-rw-r--r-- | drivers/scsi/scsi_transport_fc.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/drivers/scsi/scsi_transport_fc.c b/drivers/scsi/scsi_transport_fc.c index 6cfffc88022a..55fe730a8606 100644 --- a/drivers/scsi/scsi_transport_fc.c +++ b/drivers/scsi/scsi_transport_fc.c @@ -834,7 +834,7 @@ static ssize_t store_fc_rport_dev_loss_tmo(struct device *dev, struct device_attribute *attr, const char *buf, size_t count) { - int val; + unsigned long val; struct fc_rport *rport = transport_class_to_rport(dev); struct Scsi_Host *shost = rport_to_shost(rport); struct fc_internal *i = to_fc_internal(shost->transportt); @@ -848,6 +848,12 @@ store_fc_rport_dev_loss_tmo(struct device *dev, struct device_attribute *attr, return -EINVAL; /* + * Check for overflow; dev_loss_tmo is u32 + */ + if (val > UINT_MAX) + return -EINVAL; + + /* * If fast_io_fail is off we have to cap * dev_loss_tmo at SCSI_DEVICE_BLOCK_MAX_TIMEOUT */ @@ -2865,7 +2871,7 @@ void fc_remote_port_delete(struct fc_rport *rport) { struct Scsi_Host *shost = rport_to_shost(rport); - int timeout = rport->dev_loss_tmo; + unsigned long timeout = rport->dev_loss_tmo; unsigned long flags; /* |