svn commit: r311897 - head/sbin/camcontrol

Tue, 10 Jan 2017 12:53:10 -0800 

Author: mav
Date: Tue Jan 10 20:52:44 2017
New Revision: 311897
URL: https://svnweb.freebsd.org/changeset/base/311897

Log:
  Add checks for received mode page length.
  
  If our buffer is too small, we may receive part of the page, and should
  not try read/write past the end of the buffer.
  
  Reported by:  Coverity
  CID:          1368374, 1368375
  MFC after:    1 week

Modified:
  head/sbin/camcontrol/modeedit.c

Modified: head/sbin/camcontrol/modeedit.c
==============================================================================
--- head/sbin/camcontrol/modeedit.c     Tue Jan 10 20:44:31 2017        
(r311896)
+++ head/sbin/camcontrol/modeedit.c     Tue Jan 10 20:52:44 2017        
(r311897)
@@ -557,7 +557,7 @@ editlist_populate(struct cam_device *dev
        struct scsi_mode_header_6 *mh;  /* Location of mode header. */
        struct scsi_mode_page_header *mph;
        struct scsi_mode_page_header_sp *mphsp;
-       int len;
+       size_t len;
 
        STAILQ_INIT(&editlist);
 
@@ -575,6 +575,7 @@ editlist_populate(struct cam_device *dev
                mode_pars = (uint8_t *)(mphsp + 1);
                len = scsi_2btoul(mphsp->page_length);
        }
+       len = MIN(len, sizeof(data) - (mode_pars - data));
 
        /* Decode the value data, creating edit_entries for each value. */
        buff_decode_visit(mode_pars, len, format, editentry_create, 0);
@@ -594,7 +595,7 @@ editlist_save(struct cam_device *device,
        struct scsi_mode_header_6 *mh;  /* Location of mode header. */
        struct scsi_mode_page_header *mph;
        struct scsi_mode_page_header_sp *mphsp;
-       int len, hlen;
+       size_t len, hlen;
 
        /* Make sure that something changed before continuing. */
        if (! editlist_changed)
@@ -617,6 +618,7 @@ editlist_save(struct cam_device *device,
                mode_pars = (uint8_t *)(mphsp + 1);
                len = scsi_2btoul(mphsp->page_length);
        }
+       len = MIN(len, sizeof(data) - (mode_pars - data));
 
        /* Encode the value data to be passed back to the device. */
        buff_encode_visit(mode_pars, len, format, editentry_save, 0);
@@ -814,7 +816,7 @@ modepage_dump(struct cam_device *device,
        struct scsi_mode_header_6 *mh;  /* Location of mode header. */
        struct scsi_mode_page_header *mph;
        struct scsi_mode_page_header_sp *mphsp;
-       int indx, len;
+       size_t indx, len;
 
        mode_sense(device, dbd, pc, page, subpage, retries, timeout,
            data, sizeof(data));
@@ -829,6 +831,7 @@ modepage_dump(struct cam_device *device,
                mode_pars = (uint8_t *)(mphsp + 1);
                len = scsi_2btoul(mphsp->page_length);
        }
+       len = MIN(len, sizeof(data) - (mode_pars - data));
 
        /* Print the raw mode page data with newlines each 8 bytes. */
        for (indx = 0; indx < len; indx++) {
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to