summaryrefslogtreecommitdiffstats
path: root/drivers/scsi/scsi_scan.c
diff options
context:
space:
mode:
authorAlan Stern <stern@rowland.harvard.edu>2006-11-10 12:27:57 -0800
committerLinus Torvalds <torvalds@g5.osdl.org>2006-11-13 07:40:43 -0800
commit09123d230a294cd3b860f4ea042235b988277f0a (patch)
treee5231cafdbecb9fbf4bc0d1b462f43c64136980b /drivers/scsi/scsi_scan.c
parentf72fa707604c015a6625e80f269506032d5430dc (diff)
downloadlinux-09123d230a294cd3b860f4ea042235b988277f0a.tar.gz
linux-09123d230a294cd3b860f4ea042235b988277f0a.tar.bz2
linux-09123d230a294cd3b860f4ea042235b988277f0a.zip
[PATCH] SCSI core: always store >= 36 bytes of INQUIRY data
This patch (as810c) copies a minimum of 36 bytes of INQUIRY data, even if the device claims that not all of them are valid. Often badly behaved devices put plausible data in the Vendor, Product, and Revision strings but set the Additional Length byte to a small value. Using potentially valid data is certainly better than allocating a short buffer and then reading beyond the end of it, which is what we do now. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Cc: James Bottomley <James.Bottomley@steeleye.com> Cc: Greg KH <greg@kroah.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'drivers/scsi/scsi_scan.c')
-rw-r--r--drivers/scsi/scsi_scan.c18
1 files changed, 14 insertions, 4 deletions
diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
index fd9e281c3bfe..94a274645f6f 100644
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -631,12 +631,22 @@ static int scsi_add_lun(struct scsi_device *sdev, unsigned char *inq_result,
* scanning run at their own risk, or supply a user level program
* that can correctly scan.
*/
- sdev->inquiry = kmalloc(sdev->inquiry_len, GFP_ATOMIC);
- if (sdev->inquiry == NULL) {
+
+ /*
+ * Copy at least 36 bytes of INQUIRY data, so that we don't
+ * dereference unallocated memory when accessing the Vendor,
+ * Product, and Revision strings. Badly behaved devices may set
+ * the INQUIRY Additional Length byte to a small value, indicating
+ * these strings are invalid, but often they contain plausible data
+ * nonetheless. It doesn't matter if the device sent < 36 bytes
+ * total, since scsi_probe_lun() initializes inq_result with 0s.
+ */
+ sdev->inquiry = kmemdup(inq_result,
+ max_t(size_t, sdev->inquiry_len, 36),
+ GFP_ATOMIC);
+ if (sdev->inquiry == NULL)
return SCSI_SCAN_NO_RESPONSE;
- }
- memcpy(sdev->inquiry, inq_result, sdev->inquiry_len);
sdev->vendor = (char *) (sdev->inquiry + 8);
sdev->model = (char *) (sdev->inquiry + 16);
sdev->rev = (char *) (sdev->inquiry + 32);