Date: Tue, 10 Jan 2017 20:52:44 +0000 (UTC) From: Alexander Motin <mav@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r311897 - head/sbin/camcontrol Message-ID: <201701102052.v0AKqikj077567@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mav Date: Tue Jan 10 20:52:44 2017 New Revision: 311897 URL: https://svnweb.freebsd.org/changeset/base/311897 Log: Add checks for received mode page length. If our buffer is too small, we may receive part of the page, and should not try read/write past the end of the buffer. Reported by: Coverity CID: 1368374, 1368375 MFC after: 1 week Modified: head/sbin/camcontrol/modeedit.c Modified: head/sbin/camcontrol/modeedit.c ============================================================================== --- head/sbin/camcontrol/modeedit.c Tue Jan 10 20:44:31 2017 (r311896) +++ head/sbin/camcontrol/modeedit.c Tue Jan 10 20:52:44 2017 (r311897) @@ -557,7 +557,7 @@ editlist_populate(struct cam_device *dev struct scsi_mode_header_6 *mh; /* Location of mode header. */ struct scsi_mode_page_header *mph; struct scsi_mode_page_header_sp *mphsp; - int len; + size_t len; STAILQ_INIT(&editlist); @@ -575,6 +575,7 @@ editlist_populate(struct cam_device *dev mode_pars = (uint8_t *)(mphsp + 1); len = scsi_2btoul(mphsp->page_length); } + len = MIN(len, sizeof(data) - (mode_pars - data)); /* Decode the value data, creating edit_entries for each value. */ buff_decode_visit(mode_pars, len, format, editentry_create, 0); @@ -594,7 +595,7 @@ editlist_save(struct cam_device *device, struct scsi_mode_header_6 *mh; /* Location of mode header. */ struct scsi_mode_page_header *mph; struct scsi_mode_page_header_sp *mphsp; - int len, hlen; + size_t len, hlen; /* Make sure that something changed before continuing. */ if (! editlist_changed) @@ -617,6 +618,7 @@ editlist_save(struct cam_device *device, mode_pars = (uint8_t *)(mphsp + 1); len = scsi_2btoul(mphsp->page_length); } + len = MIN(len, sizeof(data) - (mode_pars - data)); /* Encode the value data to be passed back to the device. */ buff_encode_visit(mode_pars, len, format, editentry_save, 0); @@ -814,7 +816,7 @@ modepage_dump(struct cam_device *device, struct scsi_mode_header_6 *mh; /* Location of mode header. */ struct scsi_mode_page_header *mph; struct scsi_mode_page_header_sp *mphsp; - int indx, len; + size_t indx, len; mode_sense(device, dbd, pc, page, subpage, retries, timeout, data, sizeof(data)); @@ -829,6 +831,7 @@ modepage_dump(struct cam_device *device, mode_pars = (uint8_t *)(mphsp + 1); len = scsi_2btoul(mphsp->page_length); } + len = MIN(len, sizeof(data) - (mode_pars - data)); /* Print the raw mode page data with newlines each 8 bytes. */ for (indx = 0; indx < len; indx++) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201701102052.v0AKqikj077567>