Add safety check against too long CDB.

SBP-2 specification defined maximum CDB length as 12 bytes. Newer SBP-3 specification allows CDB of any size, but this driver is too old. Proper solution would be to look on maximal ORB size supported by the target. MFC after: 1 week
2017-02-28 05:17:50 +00:00 · 2017-02-28 05:17:50 +00:00 · bf6e9d3cdf
commit bf6e9d3cdf
parent 745bcd6fba
1 changed files with 5 additions and 0 deletions
--- a/sys/dev/firewire/sbp.c
+++ b/sys/dev/firewire/sbp.c
@ -2367,6 +2367,11 @@ END_DEBUG
 			xpt_done(ccb);
 			return;
 		}
+		if (csio->cdb_len > sizeof(ocb->orb) - 5 * sizeof(uint32_t)) {
+			ccb->ccb_h.status = CAM_REQ_INVALID;
+			xpt_done(ccb);
+			return;
+		}
 #if 0
 		/* if we are in probe stage, pass only probe commands */
 		if (sdev->status == SBP_DEV_PROBE) {