From 9d660f187a9cb45b36af9112a45ebc701ea80815 Mon Sep 17 00:00:00 2001
From: Hailiang Wang <hailiangx.e.wang@intel.com>
Date: Wed, 16 Oct 2019 20:10:12 +0800
Subject: [PATCH] lib/iscsi: add checking total_ahs_len in iscsi_reject

Fix static analyzer error by ensuring 4 * total_ahs_len is
not larger than ISCSI_AHS_LEN.

When ./configure -enable-werror --enable-ubsan --enable-asan,
iscsi target reports heap-buffer-overflow error
when I feeding unexpeted pdu opcode.

Change-Id: Ib8053e1a19b5e49385642106eb79c458d35ab3c6
Signed-off-by: Hailiang Wang <hailiangx.e.wang@intel.com>
Reviewed-on: https://review.gerrithub.io/c/spdk/spdk/+/471489
Reviewed-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
Reviewed-by: Liang Yan <liang.z.yan@intel.com>
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
---
 lib/iscsi/iscsi.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/iscsi/iscsi.c b/lib/iscsi/iscsi.c
index 268f20ae9..39d1e95c4 100644
--- a/lib/iscsi/iscsi.c
+++ b/lib/iscsi/iscsi.c
@@ -281,8 +281,9 @@ iscsi_reject(struct spdk_iscsi_conn *conn, struct spdk_iscsi_pdu *pdu,
 	data_len += ISCSI_BHS_LEN;
 
 	if (total_ahs_len != 0) {
-		memcpy(data + data_len, pdu->ahs, (4 * total_ahs_len));
-		data_len += (4 * total_ahs_len);
+		total_ahs_len = spdk_min((4 * total_ahs_len), ISCSI_AHS_LEN);
+		memcpy(data + data_len, pdu->ahs, total_ahs_len);
+		data_len += total_ahs_len;
 	}
 
 	if (conn->header_digest) {