Author: dab
Date: Mon Mar 25 17:04:33 2019
New Revision: 345508
URL: https://svnweb.freebsd.org/changeset/base/345508
Log:
MFC r345009:
Fix a scribbler in the PMS driver.
The ESGL bit was left uninitialized when executing the REPORT LUNS
ioctl. This could allow a zeroed data buffer to be treated as a
scatter/gather list. The firmware would eventually walk past the end
of the data buffer, potentially find what looked like a valid
address/length pair, and write the result to semi-random memory.
Obtained from: Dell EMC Isilon
Sponsored by: Dell EMC Isilon
Modified:
stable/10/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c
==============================================================================
--- stable/10/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c Mon Mar 25
17:04:14 2019 (r345507)
+++ stable/10/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c Mon Mar 25
17:04:33 2019 (r345508)
@@ -1874,7 +1874,9 @@ tiNumOfLunIOCTLreq(
agSSPFrame->dataLength = REPORT_LUN_LEN;
agSSPFrame->agSgl.len = sizeof(agsaSSPCmdInfoUnit_t);
-
+ agSSPFrame->agSgl.extReserved = 0;
+ CLEAR_ESGL_EXTEND(agSSPFrame->agSgl.extReserved);
+
status = saSSPStart(agRoot, agIORequest, 0, agDevHandle,
agRequestType,agSASRequestBody,agNULL,
&ossaSSPIoctlCompleted);
if(status != AGSA_RC_SUCCESS)
_______________________________________________
svn-src-stable-10@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10
To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"
