public inbox for linux-scsi@vger.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: erich@areca.com.tw
Cc: linux-scsi@vger.kernel.org
Subject: [bug #1] arcmsr: read past end of array in arcmsr_report_sense_info()
Date: Fri, 7 Feb 2014 16:00:55 +0300	[thread overview]
Message-ID: <20140207130055.GB6971@elgon.mountain> (raw)

Hello Erich Chen,

The patch 1c57e86d75cf: "[SCSI] arcmsr: initial driver, version
1.20.00.13" from Jul 12, 2006, leads to the following static checker
warning:

	drivers/scsi/arcmsr/arcmsr_hba.c:816 arcmsr_report_sense_info()
	error: memcpy() 'ccb->arcmsr_cdb.SenseData' too small (15 vs 18)

drivers/scsi/arcmsr/arcmsr_hba.c
   805  static void arcmsr_report_sense_info(struct CommandControlBlock *ccb)
   806  {
   807  
   808          struct scsi_cmnd *pcmd = ccb->pcmd;
   809          struct SENSE_DATA *sensebuffer = (struct SENSE_DATA *)pcmd->sense_buffer;
   810          pcmd->result = DID_OK << 16;
   811          if (sensebuffer) {
   812                  int sense_data_length =
   813                          sizeof(struct SENSE_DATA) < SCSI_SENSE_BUFFERSIZE
   814                          ? sizeof(struct SENSE_DATA) : SCSI_SENSE_BUFFERSIZE;
   815                  memset(sensebuffer, 0, SCSI_SENSE_BUFFERSIZE);
   816                  memcpy(sensebuffer, ccb->arcmsr_cdb.SenseData, sense_data_length);
                                            ^^^^^^^^^^^^^^^^^^^^^^^^^
This buffer is 15 bytes but we copy 18 bytes so we are reading past the
end of the array.

   817                  sensebuffer->ErrorCode = SCSI_SENSE_CURRENT_ERRORS;
   818                  sensebuffer->Valid = 1;
   819          }
   820  }

regards,
dan carpenter

                 reply	other threads:[~2014-02-07 13:00 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140207130055.GB6971@elgon.mountain \
    --to=dan.carpenter@oracle.com \
    --cc=erich@areca.com.tw \
    --cc=linux-scsi@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox