diff options
| author | Martin K. Petersen <martin.petersen@oracle.com> | 2017-03-17 08:47:14 -0400 |
|---|---|---|
| committer | Mister Oyster <oysterized@gmail.com> | 2017-07-04 11:51:16 +0200 |
| commit | 650c107c53d3cdaa664191377d8fcfb4ca2e1612 (patch) | |
| tree | b2b20a07326629973ad78d2d60b2db320c797acd | |
| parent | aae086a90aa89bd0e3f14b0c4ea110b4a5f23bec (diff) | |
scsi: sr: Sanity check returned mode data
commit a00a7862513089f17209b732f230922f1942e0b9 upstream.
Kefeng Wang discovered that old versions of the QEMU CD driver would
return mangled mode data causing us to walk off the end of the buffer in
an attempt to parse it. Sanity check the returned mode sense data.
Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Tested-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
| -rw-r--r-- | drivers/scsi/sr.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c index 1ac9943cb..c1f23abd7 100644 --- a/drivers/scsi/sr.c +++ b/drivers/scsi/sr.c @@ -855,6 +855,7 @@ static void get_capabilities(struct scsi_cd *cd) unsigned char *buffer; struct scsi_mode_data data; struct scsi_sense_hdr sshdr; + unsigned int ms_len = 128; int rc, n; static const char *loadmech[] = @@ -881,10 +882,11 @@ static void get_capabilities(struct scsi_cd *cd) scsi_test_unit_ready(cd->device, SR_TIMEOUT, MAX_RETRIES, &sshdr); /* ask for mode page 0x2a */ - rc = scsi_mode_sense(cd->device, 0, 0x2a, buffer, 128, + rc = scsi_mode_sense(cd->device, 0, 0x2a, buffer, ms_len, SR_TIMEOUT, 3, &data, NULL); - if (!scsi_status_is_good(rc)) { + if (!scsi_status_is_good(rc) || data.length > ms_len || + data.header_length + data.block_descriptor_length > data.length) { /* failed, drive doesn't have capabilities mode page */ cd->cdi.speed = 1; cd->cdi.mask |= (CDC_CD_R | CDC_CD_RW | CDC_DVD_R | |