scsi: sd: Protect against READ(6) or WRITE(6) with zero block transfer length

Since the READ(6) and WRITE(6) commands interpret a zero in the transfer
length field in the CDB as 256 logical blocks, avoid submitting such
commands.

Cc: Douglas Gilbert <dgilbert@interlog.com>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Christoph Hellwig <hch@lst.de>
Reported-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Douglas Gilbert <dgilbert@interlog.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index 7a1cf6c80f6a9738d0f91eec6bf7990210eab721..4fbb8310e2686895b2bc23ba9d01dafb973a36b4 100644 (file)
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -1128,6 +1128,10 @@ static blk_status_t sd_setup_rw6_cmnd(struct scsi_cmnd *cmd, bool write,
                                      sector_t lba, unsigned int nr_blocks,
                                      unsigned char flags)
 {
+       /* Avoid that 0 blocks gets translated into 256 blocks. */
+       if (WARN_ON_ONCE(nr_blocks == 0))
+               return BLK_STS_IOERR;
+
        if (unlikely(flags & 0x8)) {
                /*
                 * This happens only if this drive failed 10byte rw