diff options
author | Alan Stern <stern@rowland.harvard.edu> | 2008-02-20 14:15:58 -0500 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2008-02-21 18:38:55 -0500 |
commit | 7084191d53b224b953c8e1db525ea6c31aca5fc7 (patch) | |
tree | 6cb1288a50aa1977c48e9e32d7d61cf2204ac350 /drivers/usb/storage/protocol.c | |
parent | 274399d14f121d7676ecb75a461cfed6cf9e4cdb (diff) |
USB: usb-storage: don't access beyond the end of the sg buffer
This patch (as1035) fixes a bug in usb_stor_access_xfer_buf() (the bug
was originally found by Boaz Harrosh): The routine must not attempt to
write beyond the end of a scatter-gather list or beyond the number of
bytes requested. It also fixes up the formatting of a few comments
and similar whitespace issues.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/usb/storage/protocol.c')
-rw-r--r-- | drivers/usb/storage/protocol.c | 27 |
1 files changed, 15 insertions, 12 deletions
diff --git a/drivers/usb/storage/protocol.c b/drivers/usb/storage/protocol.c index a41ce21c0697..958f5b17847c 100644 --- a/drivers/usb/storage/protocol.c +++ b/drivers/usb/storage/protocol.c | |||
@@ -150,13 +150,14 @@ void usb_stor_transparent_scsi_command(struct scsi_cmnd *srb, | |||
150 | 150 | ||
151 | /* Copy a buffer of length buflen to/from the srb's transfer buffer. | 151 | /* Copy a buffer of length buflen to/from the srb's transfer buffer. |
152 | * Update the **sgptr and *offset variables so that the next copy will | 152 | * Update the **sgptr and *offset variables so that the next copy will |
153 | * pick up from where this one left off. */ | 153 | * pick up from where this one left off. |
154 | 154 | */ | |
155 | unsigned int usb_stor_access_xfer_buf(unsigned char *buffer, | 155 | unsigned int usb_stor_access_xfer_buf(unsigned char *buffer, |
156 | unsigned int buflen, struct scsi_cmnd *srb, struct scatterlist **sgptr, | 156 | unsigned int buflen, struct scsi_cmnd *srb, struct scatterlist **sgptr, |
157 | unsigned int *offset, enum xfer_buf_dir dir) | 157 | unsigned int *offset, enum xfer_buf_dir dir) |
158 | { | 158 | { |
159 | unsigned int cnt; | 159 | unsigned int cnt; |
160 | struct scatterlist *sg = *sgptr; | ||
160 | 161 | ||
161 | /* We have to go through the list one entry | 162 | /* We have to go through the list one entry |
162 | * at a time. Each s-g entry contains some number of pages, and | 163 | * at a time. Each s-g entry contains some number of pages, and |
@@ -164,22 +165,23 @@ unsigned int usb_stor_access_xfer_buf(unsigned char *buffer, | |||
164 | * in kernel-addressable memory then kmap() will return its address. | 165 | * in kernel-addressable memory then kmap() will return its address. |
165 | * If the page is not directly accessible -- such as a user buffer | 166 | * If the page is not directly accessible -- such as a user buffer |
166 | * located in high memory -- then kmap() will map it to a temporary | 167 | * located in high memory -- then kmap() will map it to a temporary |
167 | * position in the kernel's virtual address space. */ | 168 | * position in the kernel's virtual address space. |
168 | struct scatterlist *sg = *sgptr; | 169 | */ |
169 | 170 | ||
170 | if (!sg) | 171 | if (!sg) |
171 | sg = scsi_sglist(srb); | 172 | sg = scsi_sglist(srb); |
173 | buflen = min(buflen, scsi_bufflen(srb)); | ||
172 | 174 | ||
173 | /* This loop handles a single s-g list entry, which may | 175 | /* This loop handles a single s-g list entry, which may |
174 | * include multiple pages. Find the initial page structure | 176 | * include multiple pages. Find the initial page structure |
175 | * and the starting offset within the page, and update | 177 | * and the starting offset within the page, and update |
176 | * the *offset and **sgptr values for the next loop. */ | 178 | * the *offset and **sgptr values for the next loop. |
179 | */ | ||
177 | cnt = 0; | 180 | cnt = 0; |
178 | while (cnt < buflen) { | 181 | while (cnt < buflen && sg) { |
179 | struct page *page = sg_page(sg) + | 182 | struct page *page = sg_page(sg) + |
180 | ((sg->offset + *offset) >> PAGE_SHIFT); | 183 | ((sg->offset + *offset) >> PAGE_SHIFT); |
181 | unsigned int poff = | 184 | unsigned int poff = (sg->offset + *offset) & (PAGE_SIZE-1); |
182 | (sg->offset + *offset) & (PAGE_SIZE-1); | ||
183 | unsigned int sglen = sg->length - *offset; | 185 | unsigned int sglen = sg->length - *offset; |
184 | 186 | ||
185 | if (sglen > buflen - cnt) { | 187 | if (sglen > buflen - cnt) { |
@@ -222,14 +224,15 @@ unsigned int usb_stor_access_xfer_buf(unsigned char *buffer, | |||
222 | } | 224 | } |
223 | 225 | ||
224 | /* Store the contents of buffer into srb's transfer buffer and set the | 226 | /* Store the contents of buffer into srb's transfer buffer and set the |
225 | * SCSI residue. */ | 227 | * SCSI residue. |
228 | */ | ||
226 | void usb_stor_set_xfer_buf(unsigned char *buffer, | 229 | void usb_stor_set_xfer_buf(unsigned char *buffer, |
227 | unsigned int buflen, struct scsi_cmnd *srb) | 230 | unsigned int buflen, struct scsi_cmnd *srb) |
228 | { | 231 | { |
229 | unsigned int offset = 0; | 232 | unsigned int offset = 0; |
230 | struct scatterlist *sg = NULL; | 233 | struct scatterlist *sg = NULL; |
231 | 234 | ||
232 | usb_stor_access_xfer_buf(buffer, buflen, srb, &sg, &offset, | 235 | buflen = usb_stor_access_xfer_buf(buffer, buflen, srb, &sg, &offset, |
233 | TO_XFER_BUF); | 236 | TO_XFER_BUF); |
234 | if (buflen < scsi_bufflen(srb)) | 237 | if (buflen < scsi_bufflen(srb)) |
235 | scsi_set_resid(srb, scsi_bufflen(srb) - buflen); | 238 | scsi_set_resid(srb, scsi_bufflen(srb) - buflen); |