From 7b8363827ba1b3a50ef2c7b5cb5421b7398ecf32 Mon Sep 17 00:00:00 2001
From: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Date: Thu, 24 Dec 2015 10:34:45 -0800
Subject: [PATCH] libiscsi: Fix RECEIVE COPY RESULTS response unmarshalling

Allocate the correct amount of memory for the scsi_copy_results_copy_status
and scsi_copy_results_op_params structures.

Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
---
 lib/scsi-lowlevel.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/scsi-lowlevel.c b/lib/scsi-lowlevel.c
index 0ce5083..8661dee 100644
--- a/lib/scsi-lowlevel.c
+++ b/lib/scsi-lowlevel.c
@@ -845,8 +845,9 @@ scsi_receivecopyresults_datain_unmarshall(struct scsi_task *task)
 	switch (sa) {
 	case SCSI_COPY_RESULTS_COPY_STATUS:
 		len = task_get_uint32(task, 0);
-
-		cs = scsi_malloc(task, len+4);
+		if (len < 8)
+			return NULL;
+		cs = scsi_malloc(task, sizeof(*cs));
 		if (cs == NULL) {
 			return NULL;
 		}
@@ -860,8 +861,9 @@ scsi_receivecopyresults_datain_unmarshall(struct scsi_task *task)
 
 	case SCSI_COPY_RESULTS_OP_PARAMS:
 		len = task_get_uint32(task, 0);
-
-		op = scsi_malloc(task, len+4);
+		if (len < 40)
+			return NULL;
+		op = scsi_malloc(task, sizeof(*op) + task_get_uint8(task, 43));
 		if (op == NULL) {
 			return NULL;
 		}