cam: fix integer overflow during inquiry

From my understanding this could happen with iSCSI LUNs with unusually long names. The bug would make CAM fail to retrieve the full inquiry data. Instead of bumping the size of the local variable, just use a macro. Reviewed By: imp, mav Sponsored by: NetApp, Inc. Sponsored by: Klara, Inc. X-NetApp-PR: #50 Differential Revision: https://reviews.freebsd.org/D29991
2021-05-03 14:46:11 +01:00 · 2021-05-03 14:46:11 +01:00 · 7818653fd6
commit 7818653fd6
parent 8f1562430f
1 changed files with 2 additions and 6 deletions
--- a/sys/cam/scsi/scsi_xpt.c
+++ b/sys/cam/scsi/scsi_xpt.c
@ -1210,8 +1210,6 @@ probedone(struct cam_periph *periph, union ccb *done_ccb)

 			if (periph_qual == SID_QUAL_LU_CONNECTED ||
 			    periph_qual == SID_QUAL_LU_OFFLINE) {
-				u_int8_t len;
-
 				/*
 				 * We conservatively request only
 				 * SHORT_INQUIRY_LEN bytes of inquiry
@ -1222,11 +1220,9 @@ probedone(struct cam_periph *periph, union ccb *done_ccb)
 				 * the amount of information the device
 				 * is willing to give.
 				 */
-				len = inq_buf->additional_length
-				    + offsetof(struct scsi_inquiry_data,
-                                               additional_length) + 1;
 				if (softc->action == PROBE_INQUIRY
-				    && len > SHORT_INQUIRY_LENGTH) {
+				    && SID_ADDITIONAL_LENGTH(inq_buf)
+				    > SHORT_INQUIRY_LENGTH) {
 					PROBE_SET_ACTION(softc, PROBE_FULL_INQUIRY);
 					xpt_release_ccb(done_ccb);
 					xpt_schedule(periph, priority);