Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 8 Dec 2017 05:32:18 +0000 (UTC)
From:      Alan Somers <asomers@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r326680 - stable/11/sys/cam/scsi
Message-ID:  <201712080532.vB85WIa1034905@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: asomers
Date: Fri Dec  8 05:32:17 2017
New Revision: 326680
URL: https://svnweb.freebsd.org/changeset/base/326680

Log:
  MFC r325947:
  
  Fix potential NULL pointer dereference of device physical path
  
  In scsi_dev_advinfo(), if the physical path is being stored and there is a
  malloc failure (malloc(9) is called with M_NOWAIT), we could wind up in a
  situation where the device's physpath_len is set to the length the user
  provided, but the physpath itself is NULL.
  
  If another context then comes in to fetch the physical path value, we would
  wind up trying to memcpy a NULL pointer into the caller's buffer.
  
  So, set the physpath_len to 0 when we free the physpath on entry into the
  store case for the physical path.  Reset the length to a non-zero value only
  after we've successfully malloced a buffer to hold it.
  
  Submitted by:	ken
  Reviewed by:	asomers
  Sponsored by:	Spectra Logic Corp

Modified:
  stable/11/sys/cam/scsi/scsi_xpt.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/cam/scsi/scsi_xpt.c
==============================================================================
--- stable/11/sys/cam/scsi/scsi_xpt.c	Fri Dec  8 05:26:10 2017	(r326679)
+++ stable/11/sys/cam/scsi/scsi_xpt.c	Fri Dec  8 05:32:17 2017	(r326680)
@@ -2506,8 +2506,8 @@ scsi_dev_advinfo(union ccb *start_ccb)
 			if (device->physpath != NULL) {
 				free(device->physpath, M_CAMXPT);
 				device->physpath = NULL;
+				device->physpath_len = 0;
 			}
-			device->physpath_len = cdai->bufsiz;
 			/* Clear existing buffer if zero length */
 			if (cdai->bufsiz == 0)
 				break;
@@ -2516,6 +2516,7 @@ scsi_dev_advinfo(union ccb *start_ccb)
 				start_ccb->ccb_h.status = CAM_REQ_ABORTED;
 				return;
 			}
+			device->physpath_len = cdai->bufsiz;
 			memcpy(device->physpath, cdai->buf, cdai->bufsiz);
 		} else {
 			cdai->provsiz = device->physpath_len;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201712080532.vB85WIa1034905>