Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 21 Jan 2017 08:19:13 +0000 (UTC)
From:      Alexander Motin <mav@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r312568 - stable/11/sbin/camcontrol
Message-ID:  <201701210819.v0L8JDfc012680@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: mav
Date: Sat Jan 21 08:19:13 2017
New Revision: 312568
URL: https://svnweb.freebsd.org/changeset/base/312568

Log:
  MFC r311897: Add checks for received mode page length.
  
  If our buffer is too small, we may receive part of the page, and should
  not try read/write past the end of the buffer.
  
  Reported by:    Coverity
  CID:            1368374, 1368375

Modified:
  stable/11/sbin/camcontrol/modeedit.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sbin/camcontrol/modeedit.c
==============================================================================
--- stable/11/sbin/camcontrol/modeedit.c	Sat Jan 21 08:17:30 2017	(r312567)
+++ stable/11/sbin/camcontrol/modeedit.c	Sat Jan 21 08:19:13 2017	(r312568)
@@ -557,7 +557,7 @@ editlist_populate(struct cam_device *dev
 	struct scsi_mode_header_6 *mh;	/* Location of mode header. */
 	struct scsi_mode_page_header *mph;
 	struct scsi_mode_page_header_sp *mphsp;
-	int len;
+	size_t len;
 
 	STAILQ_INIT(&editlist);
 
@@ -575,6 +575,7 @@ editlist_populate(struct cam_device *dev
 		mode_pars = (uint8_t *)(mphsp + 1);
 		len = scsi_2btoul(mphsp->page_length);
 	}
+	len = MIN(len, sizeof(data) - (mode_pars - data));
 
 	/* Decode the value data, creating edit_entries for each value. */
 	buff_decode_visit(mode_pars, len, format, editentry_create, 0);
@@ -594,7 +595,7 @@ editlist_save(struct cam_device *device,
 	struct scsi_mode_header_6 *mh;	/* Location of mode header. */
 	struct scsi_mode_page_header *mph;
 	struct scsi_mode_page_header_sp *mphsp;
-	int len, hlen;
+	size_t len, hlen;
 
 	/* Make sure that something changed before continuing. */
 	if (! editlist_changed)
@@ -617,6 +618,7 @@ editlist_save(struct cam_device *device,
 		mode_pars = (uint8_t *)(mphsp + 1);
 		len = scsi_2btoul(mphsp->page_length);
 	}
+	len = MIN(len, sizeof(data) - (mode_pars - data));
 
 	/* Encode the value data to be passed back to the device. */
 	buff_encode_visit(mode_pars, len, format, editentry_save, 0);
@@ -814,7 +816,7 @@ modepage_dump(struct cam_device *device,
 	struct scsi_mode_header_6 *mh;	/* Location of mode header. */
 	struct scsi_mode_page_header *mph;
 	struct scsi_mode_page_header_sp *mphsp;
-	int indx, len;
+	size_t indx, len;
 
 	mode_sense(device, dbd, pc, page, subpage, retries, timeout,
 	    data, sizeof(data));
@@ -829,6 +831,7 @@ modepage_dump(struct cam_device *device,
 		mode_pars = (uint8_t *)(mphsp + 1);
 		len = scsi_2btoul(mphsp->page_length);
 	}
+	len = MIN(len, sizeof(data) - (mode_pars - data));
 
 	/* Print the raw mode page data with newlines each 8 bytes. */
 	for (indx = 0; indx < len; indx++) {



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201701210819.v0L8JDfc012680>