Author: mav
Date: Tue May 10 08:28:16 2016
New Revision: 299347
URL: https://svnweb.freebsd.org/changeset/base/299347
Log:
Validate XCOPY range offsets and lengths.
MFC after: 2 weeks
Modified:
head/sys/cam/ctl/ctl_tpc.c
Modified: head/sys/cam/ctl/ctl_tpc.c
==============================================================================
--- head/sys/cam/ctl/ctl_tpc.c Tue May 10 08:08:39 2016 (r299346)
+++ head/sys/cam/ctl/ctl_tpc.c Tue May 10 08:28:16 2016 (r299347)
@@ -1104,12 +1104,18 @@ tpc_ranges_length(struct scsi_range_desc
}
static int
-tpc_check_ranges(struct scsi_range_desc *range, int nrange)
+tpc_check_ranges(struct scsi_range_desc *range, int nrange, uint64_t maxlba)
{
uint64_t b1, b2;
uint32_t l1, l2;
int i, j;
+ for (i = 0; i < nrange; i++) {
+ b1 = scsi_8btou64(range[i].lba);
+ l1 = scsi_4btoul(range[i].length);
+ if (b1 + l1 < b1 || b1 + l1 > maxlba + 1)
+ return (-1);
+ }
for (i = 0; i < nrange - 1; i++) {
b1 = scsi_8btou64(range[i].lba);
l1 = scsi_4btoul(range[i].length);
@@ -2015,7 +2021,8 @@ ctl_populate_token(struct ctl_scsiio *ct
/* Validate list of ranges */
if (tpc_check_ranges(&data->desc[0],
scsi_2btoul(data->range_descriptor_length) /
- sizeof(struct scsi_range_desc))) {
+ sizeof(struct scsi_range_desc),
+ lun->be_lun->maxlba) != 0) {
ctl_set_invalid_field(ctsio, /*sks_valid*/ 0,
/*command*/ 0, /*field*/ 0, /*bit_valid*/ 0,
/*bit*/ 0);
@@ -2156,7 +2163,8 @@ ctl_write_using_token(struct ctl_scsiio
/* Validate list of ranges */
if (tpc_check_ranges(&data->desc[0],
scsi_2btoul(data->range_descriptor_length) /
- sizeof(struct scsi_range_desc))) {
+ sizeof(struct scsi_range_desc),
+ lun->be_lun->maxlba) != 0) {
ctl_set_invalid_field(ctsio, /*sks_valid*/ 0,
/*command*/ 0, /*field*/ 0, /*bit_valid*/ 0,
/*bit*/ 0);
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
