From 9105e9cf5d40c1a61dcdcb049f5ba0e860a0074e Mon Sep 17 00:00:00 2001
From: Bart Van Assche <bart.vanassche@sandisk.com>
Date: Mon, 3 Aug 2015 18:46:16 +0000
Subject: [PATCH] isert: Don't overwrite userspace if insufficient buffer is
 provided

Signed-off-by: Yan Burman <yanb@mellanox.com>


git-svn-id: http://svn.code.sf.net/p/scst/svn/trunk@6460 d57e44dd-8a1f-0410-8b47-8ef2f437770f
---
 iscsi-scst/kernel/isert-scst/isert_login.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/iscsi-scst/kernel/isert-scst/isert_login.c b/iscsi-scst/kernel/isert-scst/isert_login.c
index e2e42a505..f92eafe30 100644
--- a/iscsi-scst/kernel/isert-scst/isert_login.c
+++ b/iscsi-scst/kernel/isert-scst/isert_login.c
@@ -333,6 +333,7 @@ static ssize_t isert_listen_read(struct file *filp, char __user *buf,
 	struct isert_conn_dev *conn_dev;
 	int res = 0;
 	char k_buff[sizeof("/dev/") + sizeof(ISER_CONN_DEV_PREFIX) + 3 + 1];
+	size_t to_write;
 
 	TRACE_ENTRY();
 
@@ -357,8 +358,9 @@ wait_for_connection:
 	list_move(&conn_dev->conn_list_entry, &dev->curr_conn_list);
 	spin_unlock(&dev->conn_lock);
 
-	res = snprintf(k_buff, sizeof(k_buff), "/dev/"ISER_CONN_DEV_PREFIX"%d",
-		       conn_dev->idx);
+	to_write = min_t(size_t, sizeof(k_buff), count);
+	res = scnprintf(k_buff, to_write, "/dev/"ISER_CONN_DEV_PREFIX"%d",
+			conn_dev->idx);
 	++res; /* copy trailing \0 as well */
 
 	if (unlikely(copy_to_user(buf, k_buff, res)))