From owner-dev-commits-src-main@freebsd.org Mon May 3 14:20:37 2021 Return-Path: Delivered-To: dev-commits-src-main@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E43C8634184; Mon, 3 May 2021 14:20:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FYlW9654gz4rjf; Mon, 3 May 2021 14:20:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C42C41F8A6; Mon, 3 May 2021 14:20:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 143EKb8J064576; Mon, 3 May 2021 14:20:37 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 143EKbhZ064575; Mon, 3 May 2021 14:20:37 GMT (envelope-from git) Date: Mon, 3 May 2021 14:20:37 GMT Message-Id: <202105031420.143EKbhZ064575@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Edward Tomasz Napierala Subject: git: 7818653fd6e0 - main - cam: fix integer overflow during inquiry MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: trasz X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 7818653fd6e00c3e310584723978e65674c95939 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-main@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for the main branch of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 May 2021 14:20:38 -0000 The branch main has been updated by trasz: URL: https://cgit.FreeBSD.org/src/commit/?id=7818653fd6e00c3e310584723978e65674c95939 commit 7818653fd6e00c3e310584723978e65674c95939 Author: Edward Tomasz Napierala AuthorDate: 2021-05-03 13:46:11 +0000 Commit: Edward Tomasz Napierala CommitDate: 2021-05-03 14:20:17 +0000 cam: fix integer overflow during inquiry From my understanding this could happen with iSCSI LUNs with unusually long names. The bug would make CAM fail to retrieve the full inquiry data. Instead of bumping the size of the local variable, just use a macro. Reviewed By: imp, mav Sponsored by: NetApp, Inc. Sponsored by: Klara, Inc. X-NetApp-PR: #50 Differential Revision: https://reviews.freebsd.org/D29991 --- sys/cam/scsi/scsi_xpt.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/sys/cam/scsi/scsi_xpt.c b/sys/cam/scsi/scsi_xpt.c index bed1f3ad1373..67b94488dff0 100644 --- a/sys/cam/scsi/scsi_xpt.c +++ b/sys/cam/scsi/scsi_xpt.c @@ -1210,8 +1210,6 @@ out: if (periph_qual == SID_QUAL_LU_CONNECTED || periph_qual == SID_QUAL_LU_OFFLINE) { - u_int8_t len; - /* * We conservatively request only * SHORT_INQUIRY_LEN bytes of inquiry @@ -1222,11 +1220,9 @@ out: * the amount of information the device * is willing to give. */ - len = inq_buf->additional_length - + offsetof(struct scsi_inquiry_data, - additional_length) + 1; if (softc->action == PROBE_INQUIRY - && len > SHORT_INQUIRY_LENGTH) { + && SID_ADDITIONAL_LENGTH(inq_buf) + > SHORT_INQUIRY_LENGTH) { PROBE_SET_ACTION(softc, PROBE_FULL_INQUIRY); xpt_release_ccb(done_ccb); xpt_schedule(periph, priority);