scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru_req()

The "sz" argument in mpt3sas_check_cmd_timeout() is the number of u32, not the number of bytes. We dump that many u32 values to dmesg. Passing the number of bytes will lead to a read overflow. Divide by 4 to get the correct value. Fixes: c72be4b5bb7c ("scsi: mpt3sas: Add support for MCTP Passthrough commands") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Link: https://lore.kernel.org/r/02b0d4ff-961c-49ae-921a-5cc469edf93c@stanley.mountain Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
author: Dan Carpenter <dan.carpenter@linaro.org> 2025-02-28 12:37:28 +0300
committer: Martin K. Petersen <martin.petersen@oracle.com> 2025-03-03 22:11:47 -0500
commit: 0711f1966a523d77d4c5f00776a7bd073d56251a (patch)
tree: 93c10eca27f2b538833f96c11fdfbf438dc7bdc8
parent: 8a9b76b7d9137e15e5036d082cb276c1e8a6e100 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
index ff8fedf5f20e..063b10dd8251 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
@@ -3017,7 +3017,7 @@ int mpt3sas_send_mctp_passthru_req(struct mpt3_passthru_command *command)
 	if (!(ioc->ctl_cmds.status & MPT3_CMD_COMPLETE)) {
 		mpt3sas_check_cmd_timeout(ioc,
 		    ioc->ctl_cmds.status, mpi_request,
-		    sizeof(Mpi26MctpPassthroughRequest_t), issue_reset);
+		    sizeof(Mpi26MctpPassthroughRequest_t) / 4, issue_reset);
 		goto issue_host_reset;
 	}
author	Dan Carpenter <dan.carpenter@linaro.org>	2025-02-28 12:37:28 +0300
committer	Martin K. Petersen <martin.petersen@oracle.com>	2025-03-03 22:11:47 -0500
commit	0711f1966a523d77d4c5f00776a7bd073d56251a (patch)
tree	93c10eca27f2b538833f96c11fdfbf438dc7bdc8
parent	8a9b76b7d9137e15e5036d082cb276c1e8a6e100 (diff)