[PATCH next] scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru_req()

From: Dan Carpenter
Date: Fri Feb 28 2025 - 04:41:32 EST

Next message: Pavel Pisa: "Re: [RFC PATCH 0/7] Add Linux Motion Control subsystem"
Previous message: Neeraj Upadhyay: "[RFC PATCH 04/31] Add GHCB allocations and helpers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The "sz" argument in mpt3sas_check_cmd_timeout() is the number of u32,
not the number of bytes. We dump that many u32 values to dmesg. Passing
the number of bytes will lead to a read overflow. Divide by 4 to get the
correct value.

Fixes: c72be4b5bb7c ("scsi: mpt3sas: Add support for MCTP Passthrough commands")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
drivers/scsi/mpt3sas/mpt3sas_ctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
index ff8fedf5f20e..063b10dd8251 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
@@ -3017,7 +3017,7 @@ int mpt3sas_send_mctp_passthru_req(struct mpt3_passthru_command *command)
if (!(ioc->ctl_cmds.status & MPT3_CMD_COMPLETE)) {
mpt3sas_check_cmd_timeout(ioc,
ioc->ctl_cmds.status, mpi_request,
- sizeof(Mpi26MctpPassthroughRequest_t), issue_reset);
+ sizeof(Mpi26MctpPassthroughRequest_t) / 4, issue_reset);
goto issue_host_reset;
}

--
2.47.2

Next message: Pavel Pisa: "Re: [RFC PATCH 0/7] Add Linux Motion Control subsystem"
Previous message: Neeraj Upadhyay: "[RFC PATCH 04/31] Add GHCB allocations and helpers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]