Bug#517981: hddtemp: String-overflow with long product identifiers

Thomas Kindler Tue, 03 Mar 2009 03:14:47 -0800

Package: hddtemp
Version: 0.3-beta15-44
Severity: important

I have an USB multi-card reader and found a string-overflow in
hddtemp.
When a device reports a full 16-byte Product ID, the string won't get
zero-terminated.


Example:
     # hddtemp /dev/sdi
     /dev/sdi: Generic STORAGE DEVICE-A9727::::<@: S.M.A.R.T. not
available
                                       ^^^^^^^^^^ overflow!!

(lsusb identifies the device as "ID 05e3:0716 Genesys Logic, Inc.")

A hex dump of the INQUIRY packet shows the following:

dumping 36 bytes from 0x7fffd9847e50
       0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F 
0123456789ABCDEF
0000:  00-80 00-00 29-00 00-00 47-65 6E-65 72-69 63-20 ....)...Generic
0010:  53-54 4F-52 41-47 45-20 44-45 56-49 43-45 2D-41 STORAGE
DEVICE-A
0020:  39-37 32-37   -     -     -     -     -     -   9727

According to SPC-2, the vendor is "Generic ", product "STORAGE
DEVICE-A"
and the revision level is "9727".

I've attached a patch that moves scsi_fixstring() into scsi_model
(where
it belongs), and truncates the model string to 24 bytes (Vendor+Product
ID).


-- System Information:
Debian Release: 5.0
     APT prefers stable
     APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages hddtemp depends on:
ii  debconf [debconf-2.0]         1.5.24     Debian configuration
management sy
ii  libc6                         2.7-18     GNU C Library: Shared
libraries
ii  lsb-base                      3.2-20     Linux Standard Base 3.2
init scrip

hddtemp recommends no packages.

Versions of packages hddtemp suggests:
pn  ksensors                      <none>     (no description
available)

-- debconf information excluded

-- 

Dipl.-Inform. Thomas Kindler, 
[email protected] +49-(0)208/9963-346
Lenord, Bauer & Co. GmbH / Abt. CEE
Dohlenstrasse 32, D46145-Oberhausen



Lenord, Bauer & Co. GmbH - Dohlenstrasse 32 - 46145 Oberhausen - Germany
Geschäftsführer/Managing director: Hans-Georg Wilk
Amtsgericht/Trade register: Duisburg HRB 12033
Tel.: +49 (0)208 9963-0 - Fax: +49 (0)208 676292
Internet: www.lenord.de - E-Mail: [email protected]

Besuchen Sie unsere Website und abonnieren Sie unseren Newsletter unter
www.lenord.de/newsletter. So bleiben Sie stets auf dem Laufenden! 
Visit our website and subscribe to our newsletter at
www.lenord.de/newsletter. It keeps you up to date!



--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Bug#517981: hddtemp: String-overflow with long product identifiers

Reply via email to