Date: Fri, 17 Nov 2017 17:13:00 +0000 (UTC) From: Alan Somers <asomers@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r325947 - head/sys/cam/scsi Message-ID: <201711171713.vAHHD0sB020555@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: asomers Date: Fri Nov 17 17:13:00 2017 New Revision: 325947 URL: https://svnweb.freebsd.org/changeset/base/325947 Log: Fix potential NULL pointer dereference of device physical path In scsi_dev_advinfo(), if the physical path is being stored and there is a malloc failure (malloc(9) is called with M_NOWAIT), we could wind up in a situation where the device's physpath_len is set to the length the user provided, but the physpath itself is NULL. If another context then comes in to fetch the physical path value, we would wind up trying to memcpy a NULL pointer into the caller's buffer. So, set the physpath_len to 0 when we free the physpath on entry into the store case for the physical path. Reset the length to a non-zero value only after we've successfully malloced a buffer to hold it. Submitted by: ken Reviewed by: asomers MFC after: 3 weeks Sponsored by: Spectra Logic Corp Modified: head/sys/cam/scsi/scsi_xpt.c Modified: head/sys/cam/scsi/scsi_xpt.c ============================================================================== --- head/sys/cam/scsi/scsi_xpt.c Fri Nov 17 16:04:37 2017 (r325946) +++ head/sys/cam/scsi/scsi_xpt.c Fri Nov 17 17:13:00 2017 (r325947) @@ -2549,8 +2549,8 @@ scsi_dev_advinfo(union ccb *start_ccb) if (device->physpath != NULL) { free(device->physpath, M_CAMXPT); device->physpath = NULL; + device->physpath_len = 0; } - device->physpath_len = cdai->bufsiz; /* Clear existing buffer if zero length */ if (cdai->bufsiz == 0) break; @@ -2559,6 +2559,7 @@ scsi_dev_advinfo(union ccb *start_ccb) start_ccb->ccb_h.status = CAM_REQ_ABORTED; return; } + device->physpath_len = cdai->bufsiz; memcpy(device->physpath, cdai->buf, cdai->bufsiz); } else { cdai->provsiz = device->physpath_len;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201711171713.vAHHD0sB020555>