Commit 21d3de02 authored by Douglas Gilbert's avatar Douglas Gilbert Committed by Jeff Garzik

[PATCH] off-by-1 libata-scsi INQUIRY VPD pages 0x80 and 0x83

I have some code (in sginfo) that requests the first 4 bytes
of SCSI INQUIRY VPD pages to get their length then asks for
that exact length in a follow up request to fetch the payload.
Just like I saw with 36 byte standard INQUIRYs (no fixed)
I get a buffer  full or zeroes.

BTW SCSI standards dictate that in situations where the allocation
length (in the cdb) is less than what is needed that what can be
sent shall be sent (i.e. truncated and without any error indication
or modification to the part of the response returned).
In other words it is up the the application client to take remedial
action.

Changelog:
   - fix off-by-1 allocation length issue with SCSI
     INQUIRY VPD pages 0x80 and 0x83
Signed-off-by: default avatarJeff Garzik <jgarzik@pobox.com>
parent 046de9be
...@@ -898,7 +898,7 @@ unsigned int ata_scsiop_inq_80(struct ata_scsi_args *args, u8 *rbuf, ...@@ -898,7 +898,7 @@ unsigned int ata_scsiop_inq_80(struct ata_scsi_args *args, u8 *rbuf,
}; };
memcpy(rbuf, hdr, sizeof(hdr)); memcpy(rbuf, hdr, sizeof(hdr));
if (buflen > (ATA_SERNO_LEN + 4)) if (buflen > (ATA_SERNO_LEN + 4 - 1))
ata_dev_id_string(args->id, (unsigned char *) &rbuf[4], ata_dev_id_string(args->id, (unsigned char *) &rbuf[4],
ATA_ID_SERNO_OFS, ATA_SERNO_LEN); ATA_ID_SERNO_OFS, ATA_SERNO_LEN);
...@@ -927,7 +927,7 @@ unsigned int ata_scsiop_inq_83(struct ata_scsi_args *args, u8 *rbuf, ...@@ -927,7 +927,7 @@ unsigned int ata_scsiop_inq_83(struct ata_scsi_args *args, u8 *rbuf,
rbuf[3] = 4 + strlen(inq_83_str); /* page len */ rbuf[3] = 4 + strlen(inq_83_str); /* page len */
/* our one and only identification descriptor (vendor-specific) */ /* our one and only identification descriptor (vendor-specific) */
if (buflen > (strlen(inq_83_str) + 4 + 4)) { if (buflen > (strlen(inq_83_str) + 4 + 4 - 1)) {
rbuf[4 + 0] = 2; /* code set: ASCII */ rbuf[4 + 0] = 2; /* code set: ASCII */
rbuf[4 + 3] = strlen(inq_83_str); rbuf[4 + 3] = strlen(inq_83_str);
memcpy(rbuf + 4 + 4, inq_83_str, strlen(inq_83_str)); memcpy(rbuf + 4 + 4, inq_83_str, strlen(inq_83_str));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment