aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEdward Tomasz Napierala <trasz@FreeBSD.org>2021-05-03 13:46:11 +0000
committerEdward Tomasz Napierala <trasz@FreeBSD.org>2021-05-03 14:20:17 +0000
commit7818653fd6e00c3e310584723978e65674c95939 (patch)
tree065c927c494444b9a8fffae0d21fe8bed4603dcf
parent8f1562430fbb83f6cedff6450e1aa1b593e3d7e7 (diff)
downloadsrc-7818653fd6e00c3e310584723978e65674c95939.tar.gz
src-7818653fd6e00c3e310584723978e65674c95939.zip
cam: fix integer overflow during inquiry
From my understanding this could happen with iSCSI LUNs with unusually long names. The bug would make CAM fail to retrieve the full inquiry data. Instead of bumping the size of the local variable, just use a macro. Reviewed By: imp, mav Sponsored by: NetApp, Inc. Sponsored by: Klara, Inc. X-NetApp-PR: #50 Differential Revision: https://reviews.freebsd.org/D29991
-rw-r--r--sys/cam/scsi/scsi_xpt.c8
1 files changed, 2 insertions, 6 deletions
diff --git a/sys/cam/scsi/scsi_xpt.c b/sys/cam/scsi/scsi_xpt.c
index bed1f3ad1373..67b94488dff0 100644
--- a/sys/cam/scsi/scsi_xpt.c
+++ b/sys/cam/scsi/scsi_xpt.c
@@ -1210,8 +1210,6 @@ out:
if (periph_qual == SID_QUAL_LU_CONNECTED ||
periph_qual == SID_QUAL_LU_OFFLINE) {
- u_int8_t len;
-
/*
* We conservatively request only
* SHORT_INQUIRY_LEN bytes of inquiry
@@ -1222,11 +1220,9 @@ out:
* the amount of information the device
* is willing to give.
*/
- len = inq_buf->additional_length
- + offsetof(struct scsi_inquiry_data,
- additional_length) + 1;
if (softc->action == PROBE_INQUIRY
- && len > SHORT_INQUIRY_LENGTH) {
+ && SID_ADDITIONAL_LENGTH(inq_buf)
+ > SHORT_INQUIRY_LENGTH) {
PROBE_SET_ACTION(softc, PROBE_FULL_INQUIRY);
xpt_release_ccb(done_ccb);
xpt_schedule(periph, priority);