From ca2aa8d3e72c2bc092b59b87d6d5ce1ca4a5c76b Mon Sep 17 00:00:00 2001
From: Vladislav Bolkhovitin <vst@vlnb.net>
Date: Wed, 20 Jun 2012 02:08:09 +0000
Subject: [PATCH] scst pr: Check buffer size before reading from that buffer

From: Bart Van Assche <bvanassche@acm.org>



git-svn-id: http://svn.code.sf.net/p/scst/svn/trunk@4368 d57e44dd-8a1f-0410-8b47-8ef2f437770f
---
 scst/src/scst_pres.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/scst/src/scst_pres.c b/scst/src/scst_pres.c
index e42924b56..58c0ce1d6 100644
--- a/scst/src/scst_pres.c
+++ b/scst/src/scst_pres.c
@@ -2026,11 +2026,6 @@ static void scst_pr_do_preempt(struct scst_cmd *cmd, uint8_t *buffer,
 
 	TRACE_ENTRY();
 
-	key = get_unaligned((__be64 *)&buffer[0]);
-	action_key = get_unaligned((__be64 *)&buffer[8]);
-	scope = (cmd->cdb[2] & 0x0f) >> 4;
-	type = cmd->cdb[2] & 0x0f;
-
 	if (buffer_size != 24) {
 		TRACE_PR("Invalid buffer size %d", buffer_size);
 		scst_set_cmd_error(cmd,
@@ -2038,6 +2033,11 @@ static void scst_pr_do_preempt(struct scst_cmd *cmd, uint8_t *buffer,
 		goto out;
 	}
 
+	key = get_unaligned((__be64 *)&buffer[0]);
+	action_key = get_unaligned((__be64 *)&buffer[8]);
+	scope = (cmd->cdb[2] & 0x0f) >> 4;
+	type = cmd->cdb[2] & 0x0f;
+
 	if (!scst_pr_type_valid(type)) {
 		TRACE_PR("Invalid reservation type %d", type);
 		scst_set_cmd_error(cmd,