Date: Fri, 8 Aug 1997 09:17:50 -0400 (CST) From: Gordon Oliver <gordo@telsur.cl> To: aic7xxx@freebsd.org Subject: patch against v 4.1/3.2 (linux 2.0.30+pre-patch-3) Message-ID: <199708081317.JAA00177@gringo.telsur.cl>
next in thread | raw e-mail | index | archive | help
Hi,
I sent this patch to linux kernel, and someone suggested that I
send it here as well. It (should) fix the possible problem of
overflow in the proc statistics handler. If there is more than one
LUN on a given target, it is likely that the printout will exceed the
4K buffer without this patch (buffer overruns are bad, no)
-gordo
(gordo@telsur.cl - newly subscribed to the list, so CC: me)
--------------------------------------------------------------------
--- linux/drivers/scsi/aic7xxx_proc.c.pre3 Wed Aug 6 20:43:53 1997
+++ linux/drivers/scsi/aic7xxx_proc.c Wed Aug 6 23:11:32 1997
@@ -76,7 +76,6 @@
{
struct Scsi_Host *HBAptr;
struct aic7xxx_host *p;
- static u8 buff[512];
int i;
int found = FALSE;
int size = 0;
@@ -129,11 +128,6 @@
return (aic7xxx_set_info(buffer, length, HBAptr));
}
- if (offset == 0)
- {
- memset(buff, 0, sizeof(buff));
- }
-
p = (struct aic7xxx_host *) HBAptr->hostdata;
size += sprintf(BLS, "Adaptec AIC7xxx driver version: ");
@@ -142,7 +136,14 @@
#if 0
size += sprintf(BLS, "%s\n", rcs_version(AIC7XXX_SEQ_VER));
#endif
+ if (size > 512)
+ printk(KERN_CRIT "aic7xxx: possible overflow at first position\n");
len += size; pos = begin + len; size = 0;
+ if (pos < offset)
+ {
+ begin = pos;
+ len = 0;
+ }
size += sprintf(BLS, "\n");
size += sprintf(BLS, "Compile Options:\n");
@@ -167,7 +168,16 @@
#else
size += sprintf(BLS, " AIC7XXX_PROC_STATS : Disabled\n");
#endif
+ if (size > 512)
+ printk(KERN_CRIT "aic7xxx: possible overflow at second position\n");
len += size; pos = begin + len; size = 0;
+ if (pos < offset)
+ {
+ begin = pos;
+ len = 0;
+ }
+ else if (pos >= offset + length)
+ goto stop_output;
size += sprintf(BLS, "\n");
size += sprintf(BLS, "Adapter Configuration:\n");
@@ -201,7 +211,16 @@
(p->flags & ULTRA_ENABLED) ? "En" : "Dis");
size += sprintf(BLS, " Target Disconnect: %sabled\n",
p->discenable ? "En" : "Dis");
+ if (size > 512)
+ printk(KERN_CRIT "aic7xxx: possible overflow at third position\n");
len += size; pos = begin + len; size = 0;
+ if (pos < offset)
+ {
+ begin = pos;
+ len = 0;
+ }
+ else if (pos >= offset + length)
+ goto stop_output;
#ifdef AIC7XXX_PROC_STATS
{
@@ -210,6 +229,7 @@
/*
* XXX: Need to fix this to avoid overflow...
+ * Fixed - gordo.
*/
size += sprintf(BLS, "\n");
size += sprintf(BLS, "Statistics:\n");
@@ -247,9 +267,18 @@
sp->w_bins[9]);
size += sprintf(BLS, "\n");
}
+ if (size > 512)
+ printk(KERN_CRIT "aic7xxx: possible overflow at loop %d:%d\n", target, lun);
+ len += size; pos = begin + len; size = 0;
+ if (pos < offset)
+ {
+ begin = pos;
+ len = 0;
+ }
+ else if (pos >= offset + length)
+ goto stop_output;
}
}
- len += size; pos = begin + len; size = 0;
}
#endif /* AIC7XXX_PROC_STATS */
@@ -257,7 +286,11 @@
proc_debug("2pos: %ld offset: %ld len: %d\n", pos, offset, len);
*start = buffer + (offset - begin); /* Start of wanted data */
len -= (offset - begin); /* Start slop */
- if (len > length)
+ if (len < 0)
+ {
+ len = 0; /* off end of file */
+ }
+ else if (len > length)
{
len = length; /* Ending slop */
}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199708081317.JAA00177>