diff options
| author | mav <mav@FreeBSD.org> | 2017-01-21 08:19:42 +0000 |
|---|---|---|
| committer | mav <mav@FreeBSD.org> | 2017-01-21 08:19:42 +0000 |
| commit | 96b148126a77af9294a01230ffed52430b6ba1e8 (patch) | |
| tree | 1608db4ae467e677fe5183414a512cdb0c814a61 /sbin | |
| parent | 0326d972fce41ce12a9215ca34c42eacc6d39db4 (diff) | |
| download | FreeBSD-src-96b148126a77af9294a01230ffed52430b6ba1e8.zip FreeBSD-src-96b148126a77af9294a01230ffed52430b6ba1e8.tar.gz | |
MFC r311897: Add checks for received mode page length.
If our buffer is too small, we may receive part of the page, and should
not try read/write past the end of the buffer.
Reported by: Coverity
CID: 1368374, 1368375
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/camcontrol/modeedit.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/sbin/camcontrol/modeedit.c b/sbin/camcontrol/modeedit.c index cbc138c..90862db 100644 --- a/sbin/camcontrol/modeedit.c +++ b/sbin/camcontrol/modeedit.c @@ -557,7 +557,7 @@ editlist_populate(struct cam_device *device, int dbd, int pc, int page, struct scsi_mode_header_6 *mh; /* Location of mode header. */ struct scsi_mode_page_header *mph; struct scsi_mode_page_header_sp *mphsp; - int len; + size_t len; STAILQ_INIT(&editlist); @@ -575,6 +575,7 @@ editlist_populate(struct cam_device *device, int dbd, int pc, int page, mode_pars = (uint8_t *)(mphsp + 1); len = scsi_2btoul(mphsp->page_length); } + len = MIN(len, sizeof(data) - (mode_pars - data)); /* Decode the value data, creating edit_entries for each value. */ buff_decode_visit(mode_pars, len, format, editentry_create, 0); @@ -594,7 +595,7 @@ editlist_save(struct cam_device *device, int dbd, int pc, int page, struct scsi_mode_header_6 *mh; /* Location of mode header. */ struct scsi_mode_page_header *mph; struct scsi_mode_page_header_sp *mphsp; - int len, hlen; + size_t len, hlen; /* Make sure that something changed before continuing. */ if (! editlist_changed) @@ -617,6 +618,7 @@ editlist_save(struct cam_device *device, int dbd, int pc, int page, mode_pars = (uint8_t *)(mphsp + 1); len = scsi_2btoul(mphsp->page_length); } + len = MIN(len, sizeof(data) - (mode_pars - data)); /* Encode the value data to be passed back to the device. */ buff_encode_visit(mode_pars, len, format, editentry_save, 0); @@ -814,7 +816,7 @@ modepage_dump(struct cam_device *device, int dbd, int pc, int page, int subpage, struct scsi_mode_header_6 *mh; /* Location of mode header. */ struct scsi_mode_page_header *mph; struct scsi_mode_page_header_sp *mphsp; - int indx, len; + size_t indx, len; mode_sense(device, dbd, pc, page, subpage, retries, timeout, data, sizeof(data)); @@ -829,6 +831,7 @@ modepage_dump(struct cam_device *device, int dbd, int pc, int page, int subpage, mode_pars = (uint8_t *)(mphsp + 1); len = scsi_2btoul(mphsp->page_length); } + len = MIN(len, sizeof(data) - (mode_pars - data)); /* Print the raw mode page data with newlines each 8 bytes. */ for (indx = 0; indx < len; indx++) { |
