aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Moore <eric.moore@lsil.com>2006-04-26 15:22:37 -0400
committerJames Bottomley <jejb@mulgrave.il.steeleye.com>2006-04-27 14:59:30 -0400
commit509e5e5d206ff7ba08011b61a882d09369ec20c3 (patch)
treeadc438ae6704744a2158f4fe8da50839b6b7723d
parentf2536cbd12e5182558cce42efd41072bd558596b (diff)
[SCSI] fusion - bug fix stack overflow in mptbase
Bug fix for stack overflow in EventDescriptionStr, (a function for debuging firmware events). We allocated 50 bytes on local stack for buff[], however there are places in the code where we've attempted copying in greater than 50 bytes into buff[]. Signed-off-by: Eric Moore <Eric.Moore@lsil.com> Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
-rw-r--r--drivers/message/fusion/mptbase.c60
1 files changed, 37 insertions, 23 deletions
diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c
index 5fe6e8df50ab..9080853fe283 100644
--- a/drivers/message/fusion/mptbase.c
+++ b/drivers/message/fusion/mptbase.c
@@ -5735,12 +5735,13 @@ mpt_HardResetHandler(MPT_ADAPTER *ioc, int sleepFlag)
5735 return rc; 5735 return rc;
5736} 5736}
5737 5737
5738# define EVENT_DESCR_STR_SZ 100
5739
5738/*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/ 5740/*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/
5739static void 5741static void
5740EventDescriptionStr(u8 event, u32 evData0, char *evStr) 5742EventDescriptionStr(u8 event, u32 evData0, char *evStr)
5741{ 5743{
5742 char *ds; 5744 char *ds = NULL;
5743 char buf[50];
5744 5745
5745 switch(event) { 5746 switch(event) {
5746 case MPI_EVENT_NONE: 5747 case MPI_EVENT_NONE:
@@ -5777,9 +5778,9 @@ EventDescriptionStr(u8 event, u32 evData0, char *evStr)
5777 if (evData0 == MPI_EVENT_LOOP_STATE_CHANGE_LIP) 5778 if (evData0 == MPI_EVENT_LOOP_STATE_CHANGE_LIP)
5778 ds = "Loop State(LIP) Change"; 5779 ds = "Loop State(LIP) Change";
5779 else if (evData0 == MPI_EVENT_LOOP_STATE_CHANGE_LPE) 5780 else if (evData0 == MPI_EVENT_LOOP_STATE_CHANGE_LPE)
5780 ds = "Loop State(LPE) Change"; /* ??? */ 5781 ds = "Loop State(LPE) Change"; /* ??? */
5781 else 5782 else
5782 ds = "Loop State(LPB) Change"; /* ??? */ 5783 ds = "Loop State(LPB) Change"; /* ??? */
5783 break; 5784 break;
5784 case MPI_EVENT_LOGOUT: 5785 case MPI_EVENT_LOGOUT:
5785 ds = "Logout"; 5786 ds = "Logout";
@@ -5845,22 +5846,28 @@ EventDescriptionStr(u8 event, u32 evData0, char *evStr)
5845 u8 ReasonCode = (u8)(evData0 >> 16); 5846 u8 ReasonCode = (u8)(evData0 >> 16);
5846 switch (ReasonCode) { 5847 switch (ReasonCode) {
5847 case MPI_EVENT_SAS_DEV_STAT_RC_ADDED: 5848 case MPI_EVENT_SAS_DEV_STAT_RC_ADDED:
5848 sprintf(buf,"SAS Device Status Change: Added: id=%d", id); 5849 snprintf(evStr, EVENT_DESCR_STR_SZ,
5850 "SAS Device Status Change: Added: id=%d", id);
5849 break; 5851 break;
5850 case MPI_EVENT_SAS_DEV_STAT_RC_NOT_RESPONDING: 5852 case MPI_EVENT_SAS_DEV_STAT_RC_NOT_RESPONDING:
5851 sprintf(buf,"SAS Device Status Change: Deleted: id=%d", id); 5853 snprintf(evStr, EVENT_DESCR_STR_SZ,
5854 "SAS Device Status Change: Deleted: id=%d", id);
5852 break; 5855 break;
5853 case MPI_EVENT_SAS_DEV_STAT_RC_SMART_DATA: 5856 case MPI_EVENT_SAS_DEV_STAT_RC_SMART_DATA:
5854 sprintf(buf,"SAS Device Status Change: SMART Data: id=%d", id); 5857 snprintf(evStr, EVENT_DESCR_STR_SZ,
5858 "SAS Device Status Change: SMART Data: id=%d",
5859 id);
5855 break; 5860 break;
5856 case MPI_EVENT_SAS_DEV_STAT_RC_NO_PERSIST_ADDED: 5861 case MPI_EVENT_SAS_DEV_STAT_RC_NO_PERSIST_ADDED:
5857 sprintf(buf,"SAS Device Status Change: No Persistancy Added: id=%d", id); 5862 snprintf(evStr, EVENT_DESCR_STR_SZ,
5863 "SAS Device Status Change: No Persistancy "
5864 "Added: id=%d", id);
5858 break; 5865 break;
5859 default: 5866 default:
5860 sprintf(buf,"SAS Device Status Change: Unknown: id=%d", id); 5867 snprintf(evStr, EVENT_DESCR_STR_SZ,
5861 break; 5868 "SAS Device Status Change: Unknown: id=%d", id);
5869 break;
5862 } 5870 }
5863 ds = buf;
5864 break; 5871 break;
5865 } 5872 }
5866 case MPI_EVENT_ON_BUS_TIMER_EXPIRED: 5873 case MPI_EVENT_ON_BUS_TIMER_EXPIRED:
@@ -5883,34 +5890,40 @@ EventDescriptionStr(u8 event, u32 evData0, char *evStr)
5883 MPI_EVENT_SAS_PLS_LR_CURRENT_SHIFT; 5890 MPI_EVENT_SAS_PLS_LR_CURRENT_SHIFT;
5884 switch (LinkRates) { 5891 switch (LinkRates) {
5885 case MPI_EVENT_SAS_PLS_LR_RATE_UNKNOWN: 5892 case MPI_EVENT_SAS_PLS_LR_RATE_UNKNOWN:
5886 sprintf(buf,"SAS PHY Link Status: Phy=%d:" 5893 snprintf(evStr, EVENT_DESCR_STR_SZ,
5894 "SAS PHY Link Status: Phy=%d:"
5887 " Rate Unknown",PhyNumber); 5895 " Rate Unknown",PhyNumber);
5888 break; 5896 break;
5889 case MPI_EVENT_SAS_PLS_LR_RATE_PHY_DISABLED: 5897 case MPI_EVENT_SAS_PLS_LR_RATE_PHY_DISABLED:
5890 sprintf(buf,"SAS PHY Link Status: Phy=%d:" 5898 snprintf(evStr, EVENT_DESCR_STR_SZ,
5899 "SAS PHY Link Status: Phy=%d:"
5891 " Phy Disabled",PhyNumber); 5900 " Phy Disabled",PhyNumber);
5892 break; 5901 break;
5893 case MPI_EVENT_SAS_PLS_LR_RATE_FAILED_SPEED_NEGOTIATION: 5902 case MPI_EVENT_SAS_PLS_LR_RATE_FAILED_SPEED_NEGOTIATION:
5894 sprintf(buf,"SAS PHY Link Status: Phy=%d:" 5903 snprintf(evStr, EVENT_DESCR_STR_SZ,
5904 "SAS PHY Link Status: Phy=%d:"
5895 " Failed Speed Nego",PhyNumber); 5905 " Failed Speed Nego",PhyNumber);
5896 break; 5906 break;
5897 case MPI_EVENT_SAS_PLS_LR_RATE_SATA_OOB_COMPLETE: 5907 case MPI_EVENT_SAS_PLS_LR_RATE_SATA_OOB_COMPLETE:
5898 sprintf(buf,"SAS PHY Link Status: Phy=%d:" 5908 snprintf(evStr, EVENT_DESCR_STR_SZ,
5909 "SAS PHY Link Status: Phy=%d:"
5899 " Sata OOB Completed",PhyNumber); 5910 " Sata OOB Completed",PhyNumber);
5900 break; 5911 break;
5901 case MPI_EVENT_SAS_PLS_LR_RATE_1_5: 5912 case MPI_EVENT_SAS_PLS_LR_RATE_1_5:
5902 sprintf(buf,"SAS PHY Link Status: Phy=%d:" 5913 snprintf(evStr, EVENT_DESCR_STR_SZ,
5914 "SAS PHY Link Status: Phy=%d:"
5903 " Rate 1.5 Gbps",PhyNumber); 5915 " Rate 1.5 Gbps",PhyNumber);
5904 break; 5916 break;
5905 case MPI_EVENT_SAS_PLS_LR_RATE_3_0: 5917 case MPI_EVENT_SAS_PLS_LR_RATE_3_0:
5906 sprintf(buf,"SAS PHY Link Status: Phy=%d:" 5918 snprintf(evStr, EVENT_DESCR_STR_SZ,
5919 "SAS PHY Link Status: Phy=%d:"
5907 " Rate 3.0 Gpbs",PhyNumber); 5920 " Rate 3.0 Gpbs",PhyNumber);
5908 break; 5921 break;
5909 default: 5922 default:
5910 sprintf(buf,"SAS PHY Link Status: Phy=%d", PhyNumber); 5923 snprintf(evStr, EVENT_DESCR_STR_SZ,
5924 "SAS PHY Link Status: Phy=%d", PhyNumber);
5911 break; 5925 break;
5912 } 5926 }
5913 ds = buf;
5914 break; 5927 break;
5915 } 5928 }
5916 case MPI_EVENT_SAS_DISCOVERY_ERROR: 5929 case MPI_EVENT_SAS_DISCOVERY_ERROR:
@@ -5919,8 +5932,8 @@ EventDescriptionStr(u8 event, u32 evData0, char *evStr)
5919 case MPI_EVENT_IR_RESYNC_UPDATE: 5932 case MPI_EVENT_IR_RESYNC_UPDATE:
5920 { 5933 {
5921 u8 resync_complete = (u8)(evData0 >> 16); 5934 u8 resync_complete = (u8)(evData0 >> 16);
5922 sprintf(buf,"IR Resync Update: Complete = %d:",resync_complete); 5935 snprintf(evStr, EVENT_DESCR_STR_SZ,
5923 ds = buf; 5936 "IR Resync Update: Complete = %d:",resync_complete);
5924 break; 5937 break;
5925 } 5938 }
5926 case MPI_EVENT_IR2: 5939 case MPI_EVENT_IR2:
@@ -5973,7 +5986,8 @@ EventDescriptionStr(u8 event, u32 evData0, char *evStr)
5973 ds = "Unknown"; 5986 ds = "Unknown";
5974 break; 5987 break;
5975 } 5988 }
5976 strcpy(evStr,ds); 5989 if (ds)
5990 strncpy(evStr, ds, EVENT_DESCR_STR_SZ);
5977} 5991}
5978 5992
5979/*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/ 5993/*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/
@@ -5995,7 +6009,7 @@ ProcessEventNotification(MPT_ADAPTER *ioc, EventNotificationReply_t *pEventReply
5995 int ii; 6009 int ii;
5996 int r = 0; 6010 int r = 0;
5997 int handlers = 0; 6011 int handlers = 0;
5998 char evStr[100]; 6012 char evStr[EVENT_DESCR_STR_SZ];
5999 u8 event; 6013 u8 event;
6000 6014
6001 /* 6015 /*