aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlan Stern <stern@rowland.harvard.edu>2006-11-10 15:27:57 -0500
committerLinus Torvalds <torvalds@g5.osdl.org>2006-11-13 10:40:43 -0500
commit09123d230a294cd3b860f4ea042235b988277f0a (patch)
treee5231cafdbecb9fbf4bc0d1b462f43c64136980b
parentf72fa707604c015a6625e80f269506032d5430dc (diff)
[PATCH] SCSI core: always store >= 36 bytes of INQUIRY data
This patch (as810c) copies a minimum of 36 bytes of INQUIRY data, even if the device claims that not all of them are valid. Often badly behaved devices put plausible data in the Vendor, Product, and Revision strings but set the Additional Length byte to a small value. Using potentially valid data is certainly better than allocating a short buffer and then reading beyond the end of it, which is what we do now. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Cc: James Bottomley <James.Bottomley@steeleye.com> Cc: Greg KH <greg@kroah.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r--drivers/scsi/scsi_scan.c18
1 files changed, 14 insertions, 4 deletions
diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
index fd9e281c3bfe..94a274645f6f 100644
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -631,12 +631,22 @@ static int scsi_add_lun(struct scsi_device *sdev, unsigned char *inq_result,
631 * scanning run at their own risk, or supply a user level program 631 * scanning run at their own risk, or supply a user level program
632 * that can correctly scan. 632 * that can correctly scan.
633 */ 633 */
634 sdev->inquiry = kmalloc(sdev->inquiry_len, GFP_ATOMIC); 634
635 if (sdev->inquiry == NULL) { 635 /*
636 * Copy at least 36 bytes of INQUIRY data, so that we don't
637 * dereference unallocated memory when accessing the Vendor,
638 * Product, and Revision strings. Badly behaved devices may set
639 * the INQUIRY Additional Length byte to a small value, indicating
640 * these strings are invalid, but often they contain plausible data
641 * nonetheless. It doesn't matter if the device sent < 36 bytes
642 * total, since scsi_probe_lun() initializes inq_result with 0s.
643 */
644 sdev->inquiry = kmemdup(inq_result,
645 max_t(size_t, sdev->inquiry_len, 36),
646 GFP_ATOMIC);
647 if (sdev->inquiry == NULL)
636 return SCSI_SCAN_NO_RESPONSE; 648 return SCSI_SCAN_NO_RESPONSE;
637 }
638 649
639 memcpy(sdev->inquiry, inq_result, sdev->inquiry_len);
640 sdev->vendor = (char *) (sdev->inquiry + 8); 650 sdev->vendor = (char *) (sdev->inquiry + 8);
641 sdev->model = (char *) (sdev->inquiry + 16); 651 sdev->model = (char *) (sdev->inquiry + 16);
642 sdev->rev = (char *) (sdev->inquiry + 32); 652 sdev->rev = (char *) (sdev->inquiry + 32);