MFC r311897: Add checks for received mode page length.

If our buffer is too small, we may receive part of the page, and should
not try read/write past the end of the buffer.

Reported by:    Coverity
CID:            1368374, 1368375
This commit is contained in:
Alexander Motin 2017-01-21 08:19:42 +00:00
parent 8e800aacf3
commit 624dc54e11
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/stable/10/; revision=312569

View File

@ -557,7 +557,7 @@ editlist_populate(struct cam_device *device, int dbd, int pc, int page,
struct scsi_mode_header_6 *mh; /* Location of mode header. */
struct scsi_mode_page_header *mph;
struct scsi_mode_page_header_sp *mphsp;
int len;
size_t len;
STAILQ_INIT(&editlist);
@ -575,6 +575,7 @@ editlist_populate(struct cam_device *device, int dbd, int pc, int page,
mode_pars = (uint8_t *)(mphsp + 1);
len = scsi_2btoul(mphsp->page_length);
}
len = MIN(len, sizeof(data) - (mode_pars - data));
/* Decode the value data, creating edit_entries for each value. */
buff_decode_visit(mode_pars, len, format, editentry_create, 0);
@ -594,7 +595,7 @@ editlist_save(struct cam_device *device, int dbd, int pc, int page,
struct scsi_mode_header_6 *mh; /* Location of mode header. */
struct scsi_mode_page_header *mph;
struct scsi_mode_page_header_sp *mphsp;
int len, hlen;
size_t len, hlen;
/* Make sure that something changed before continuing. */
if (! editlist_changed)
@ -617,6 +618,7 @@ editlist_save(struct cam_device *device, int dbd, int pc, int page,
mode_pars = (uint8_t *)(mphsp + 1);
len = scsi_2btoul(mphsp->page_length);
}
len = MIN(len, sizeof(data) - (mode_pars - data));
/* Encode the value data to be passed back to the device. */
buff_encode_visit(mode_pars, len, format, editentry_save, 0);
@ -814,7 +816,7 @@ modepage_dump(struct cam_device *device, int dbd, int pc, int page, int subpage,
struct scsi_mode_header_6 *mh; /* Location of mode header. */
struct scsi_mode_page_header *mph;
struct scsi_mode_page_header_sp *mphsp;
int indx, len;
size_t indx, len;
mode_sense(device, dbd, pc, page, subpage, retries, timeout,
data, sizeof(data));
@ -829,6 +831,7 @@ modepage_dump(struct cam_device *device, int dbd, int pc, int page, int subpage,
mode_pars = (uint8_t *)(mphsp + 1);
len = scsi_2btoul(mphsp->page_length);
}
len = MIN(len, sizeof(data) - (mode_pars - data));
/* Print the raw mode page data with newlines each 8 bytes. */
for (indx = 0; indx < len; indx++) {