From 874f8d594353246e92d2939eba1ede48045f8b52 Mon Sep 17 00:00:00 2001
From: Vladislav Bolkhovitin <vst@vlnb.net>
Date: Fri, 28 Dec 2012 23:20:07 +0000
Subject: [PATCH] Fix possible crash if misbehaving dev handler tries to set
 too big response data len.

git-svn-id: http://svn.code.sf.net/p/scst/svn/trunk@4670 d57e44dd-8a1f-0410-8b47-8ef2f437770f
---
 scst/src/scst_lib.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/scst/src/scst_lib.c b/scst/src/scst_lib.c
index a6bf32e0c..f9a5eeca6 100644
--- a/scst/src/scst_lib.c
+++ b/scst/src/scst_lib.c
@@ -2865,6 +2865,14 @@ void scst_set_resp_data_len(struct scst_cmd *cmd, int resp_data_len)
 
 	TRACE_DBG("cmd %p, resp_data_len %d", cmd, resp_data_len);
 
+	if (unlikely(resp_data_len > cmd->bufflen)) {
+		PRINT_ERROR("Too big response data len %d (max %d), limiting "
+			"it to the max (dev %s)", resp_data_len, cmd->bufflen,
+			cmd->dev->virt_name);
+		cmd->resp_data_len = cmd->bufflen;
+		goto out;
+	}
+
 	scst_adjust_sg(cmd, cmd->sg, &cmd->sg_cnt, resp_data_len);
 
 	cmd->resid_possible = 1;