Module Name: src
Committed By: riastradh
Date: Sat Mar 12 16:57:16 UTC 2022
Modified Files:
src/sys/dev/scsipi: scsiconf.c
Log Message:
scsi(9): Handle bogus number of LUNs in SCSI_REPORT_LUNS.
Reported-by: syzbot+76ef9084533d4bcce...@syzkaller.appspotmail.com
To generate a diff of this commit:
cvs rdiff -u -r1.299 -r1.300 src/sys/dev/scsipi/scsiconf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/scsipi/scsiconf.c
diff -u src/sys/dev/scsipi/scsiconf.c:1.299 src/sys/dev/scsipi/scsiconf.c:1.300
--- src/sys/dev/scsipi/scsiconf.c:1.299 Sat Mar 12 15:32:32 2022
+++ src/sys/dev/scsipi/scsiconf.c Sat Mar 12 16:57:15 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: scsiconf.c,v 1.299 2022/03/12 15:32:32 riastradh Exp $ */
+/* $NetBSD: scsiconf.c,v 1.300 2022/03/12 16:57:15 riastradh Exp $ */
/*-
* Copyright (c) 1998, 1999, 2004 The NetBSD Foundation, Inc.
@@ -48,7 +48,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: scsiconf.c,v 1.299 2022/03/12 15:32:32 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: scsiconf.c,v 1.300 2022/03/12 16:57:15 riastradh Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -400,7 +400,7 @@ scsi_report_luns(struct scsibus_softc *s
uint16_t tmp;
int error;
- size_t i, rlrlen;
+ size_t i, rlrlen, rlrlenmin;
memset(&replun, 0, sizeof(replun));
@@ -421,7 +421,7 @@ scsi_report_luns(struct scsibus_softc *s
goto end2;
}
- rlrlen = sizeof(*rlr) + sizeof(*lunp) * 1;
+ rlrlen = rlrlenmin = sizeof(*rlr) + sizeof(*lunp) * 1;
again:
rlr = kmem_zalloc(rlrlen, KM_SLEEP);
@@ -443,6 +443,10 @@ again:
16383 * sizeof(*lunp));
kmem_free(rlr, old_rlrlen);
rlr = NULL;
+ if (rlrlen < rlrlenmin) {
+ error = EIO;
+ goto end;
+ }
goto again;
}
