summaryrefslogtreecommitdiffstats
path: root/drivers/scsi/scsi_scan.c
diff options
context:
space:
mode:
authorJames Bottomley <jejb@mulgrave.il.steeleye.com>2006-11-22 19:06:44 +0100
committerJames Bottomley <jejb@mulgrave.il.steeleye.com>2006-11-22 19:06:44 +0100
commit0bd2af46839ad6262d25714a6ec0365db9d6b98f (patch)
treedcced72d230d69fd0c5816ac6dd03ab84799a93e /drivers/scsi/scsi_scan.c
parent[SCSI] aic94xx: fix pointer to integer conversion warning (diff)
parent[PATCH] qla4xxx: bug fix: driver hardware semaphore needs to be grabbed befor... (diff)
downloadlinux-0bd2af46839ad6262d25714a6ec0365db9d6b98f.tar.xz
linux-0bd2af46839ad6262d25714a6ec0365db9d6b98f.zip
Merge ../scsi-rc-fixes-2.6
Diffstat (limited to 'drivers/scsi/scsi_scan.c')
-rw-r--r--drivers/scsi/scsi_scan.c18
1 files changed, 14 insertions, 4 deletions
diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
index 148e24cc3222..aa1b1e0e9d22 100644
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -700,12 +700,22 @@ static int scsi_add_lun(struct scsi_device *sdev, unsigned char *inq_result,
* scanning run at their own risk, or supply a user level program
* that can correctly scan.
*/
- sdev->inquiry = kmalloc(sdev->inquiry_len, GFP_ATOMIC);
- if (sdev->inquiry == NULL) {
+
+ /*
+ * Copy at least 36 bytes of INQUIRY data, so that we don't
+ * dereference unallocated memory when accessing the Vendor,
+ * Product, and Revision strings. Badly behaved devices may set
+ * the INQUIRY Additional Length byte to a small value, indicating
+ * these strings are invalid, but often they contain plausible data
+ * nonetheless. It doesn't matter if the device sent < 36 bytes
+ * total, since scsi_probe_lun() initializes inq_result with 0s.
+ */
+ sdev->inquiry = kmemdup(inq_result,
+ max_t(size_t, sdev->inquiry_len, 36),
+ GFP_ATOMIC);
+ if (sdev->inquiry == NULL)
return SCSI_SCAN_NO_RESPONSE;
- }
- memcpy(sdev->inquiry, inq_result, sdev->inquiry_len);
sdev->vendor = (char *) (sdev->inquiry + 8);
sdev->model = (char *) (sdev->inquiry + 16);
sdev->rev = (char *) (sdev->inquiry + 32);