[PATCH] scsi: qla2xxx: validate reset template state indices

[Pengpeng Hou]

qla8044_rmw_crb_reg() uses the reset template's index_a field to
select an entry from vha->reset_tmplt.array[]. The field is loaded from
the flash-backed reset template, but the driver does not verify that it
fits the 16-entry state array before indexing it.

Reject template entries whose state index falls outside the local reset
state array and flag the sequence as erroneous instead of reading past
the array.
---
 drivers/scsi/qla2xxx/qla_nx2.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_nx2.c b/drivers/scsi/qla2xxx/qla_nx2.c
index 41ff6fbdb933..caaf2275b611 100644
--- a/drivers/scsi/qla2xxx/qla_nx2.c
+++ b/drivers/scsi/qla2xxx/qla_nx2.c
@@ -239,10 +239,19 @@ qla8044_rmw_crb_reg(struct scsi_qla_host *vha,
 {
 	uint32_t value;
 
-	if (p_rmw_hdr->index_a)
+	if (p_rmw_hdr->index_a) {
+		if (p_rmw_hdr->index_a >= QLA8044_MAX_RESET_SEQ_ENTRIES) {
+			ql_log(ql_log_warn, vha, 0xb153,
+			       "%s: invalid reset template state index %u\n",
+			       __func__, p_rmw_hdr->index_a);
+			vha->reset_tmplt.seq_error++;
+			return;
+		}
+
 		value = vha->reset_tmplt.array[p_rmw_hdr->index_a];
-	else
+	} else {
 		qla8044_rd_reg_indirect(vha, raddr, &value);
+	}
 	value &= p_rmw_hdr->test_mask;
 	value <<= p_rmw_hdr->shl;
 	value >>= p_rmw_hdr->shr;
-- 
2.50.1 (Apple Git-155)