libmpathpersist: fix off-by-one error in PRIN length check
authorMartin Wilck <mwilck@suse.com>
Mon, 26 Nov 2018 16:29:33 +0000 (17:29 +0100)
committerChristophe Varoqui <christophe.varoqui@opensvc.com>
Fri, 7 Dec 2018 15:42:17 +0000 (16:42 +0100)
The length check added by bf25392f4e98 was off by one, so
that a warning was printed even for correct responses
for PERSISTENT_RESERVE_IN READ_FULL_STATUS service actions.
Non-fatal, but should be fixed nonetheless.

Fixes: bf25392f4e98 "libmpathpersist: fix stack overflow in
   mpath_format_readfullstatus()"
Signed-off-by: Martin Wilck <mwilck@suse.com>
libmpathpersist/mpath_pr_ioctl.c

index a222b1e..c4f4ccd 100644 (file)
@@ -241,7 +241,7 @@ void mpath_format_readfullstatus(struct prin_resp *pr_buff, int len, int noisy)
                fdesc.rtpi = get_unaligned_be16(&p[18]);
 
                tid_len_len = get_unaligned_be32(&p[20]);
-               if (tid_len_len + 24 + k >= additional_length) {
+               if (tid_len_len + 24 + k > additional_length) {
                        condlog(0,
                                "%s: corrupt PRIN response: status descriptor end %d exceeds length %d",
                                __func__, tid_len_len + k + 24,