Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 24 May 2016 07:19:53 +0000 (UTC)
From:      Alexander Motin <mav@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r300588 - stable/10/sys/cam/ctl
Message-ID:  <201605240719.u4O7Jrr9076969@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: mav
Date: Tue May 24 07:19:52 2016
New Revision: 300588
URL: https://svnweb.freebsd.org/changeset/base/300588

Log:
  MFC r299347, r299348: Validate XCOPY range offsets and lengths.

Modified:
  stable/10/sys/cam/ctl/ctl_tpc.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/cam/ctl/ctl_tpc.c
==============================================================================
--- stable/10/sys/cam/ctl/ctl_tpc.c	Tue May 24 07:19:00 2016	(r300587)
+++ stable/10/sys/cam/ctl/ctl_tpc.c	Tue May 24 07:19:52 2016	(r300588)
@@ -1104,7 +1104,23 @@ tpc_ranges_length(struct scsi_range_desc
 }
 
 static int
-tpc_check_ranges(struct scsi_range_desc *range, int nrange)
+tpc_check_ranges_l(struct scsi_range_desc *range, int nrange, uint64_t maxlba)
+{
+	uint64_t b1;
+	uint32_t l1;
+	int i;
+
+	for (i = 0; i < nrange; i++) {
+		b1 = scsi_8btou64(range[i].lba);
+		l1 = scsi_4btoul(range[i].length);
+		if (b1 + l1 < b1 || b1 + l1 > maxlba + 1)
+			return (-1);
+	}
+	return (0);
+}
+
+static int
+tpc_check_ranges_x(struct scsi_range_desc *range, int nrange)
 {
 	uint64_t b1, b2;
 	uint32_t l1, l2;
@@ -2013,9 +2029,16 @@ ctl_populate_token(struct ctl_scsiio *ct
 	}
 
 	/* Validate list of ranges */
-	if (tpc_check_ranges(&data->desc[0],
+	if (tpc_check_ranges_l(&data->desc[0],
+	    scsi_2btoul(data->range_descriptor_length) /
+	    sizeof(struct scsi_range_desc),
+	    lun->be_lun->maxlba) != 0) {
+		ctl_set_lba_out_of_range(ctsio);
+		goto done;
+	}
+	if (tpc_check_ranges_x(&data->desc[0],
 	    scsi_2btoul(data->range_descriptor_length) /
-	    sizeof(struct scsi_range_desc))) {
+	    sizeof(struct scsi_range_desc)) != 0) {
 		ctl_set_invalid_field(ctsio, /*sks_valid*/ 0,
 		    /*command*/ 0, /*field*/ 0, /*bit_valid*/ 0,
 		    /*bit*/ 0);
@@ -2154,9 +2177,16 @@ ctl_write_using_token(struct ctl_scsiio 
 */
 
 	/* Validate list of ranges */
-	if (tpc_check_ranges(&data->desc[0],
+	if (tpc_check_ranges_l(&data->desc[0],
+	    scsi_2btoul(data->range_descriptor_length) /
+	    sizeof(struct scsi_range_desc),
+	    lun->be_lun->maxlba) != 0) {
+		ctl_set_lba_out_of_range(ctsio);
+		goto done;
+	}
+	if (tpc_check_ranges_x(&data->desc[0],
 	    scsi_2btoul(data->range_descriptor_length) /
-	    sizeof(struct scsi_range_desc))) {
+	    sizeof(struct scsi_range_desc)) != 0) {
 		ctl_set_invalid_field(ctsio, /*sks_valid*/ 0,
 		    /*command*/ 0, /*field*/ 0, /*bit_valid*/ 0,
 		    /*bit*/ 0);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605240719.u4O7Jrr9076969>