FreeBSD Bugzilla – Attachment 209138 Details for
Bug 241929
ses(4) fails to sanitize illegal strings in SES element descriptors
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
sanitize SES element descriptors in ses(4)
bug_241929.diff (text/plain), 1.58 KB, created by
Alan Somers
on 2019-11-13 20:26:33 UTC
(
hide
)
Description:
sanitize SES element descriptors in ses(4)
Filename:
MIME Type:
Creator:
Alan Somers
Created:
2019-11-13 20:26:33 UTC
Size:
1.58 KB
patch
obsolete
>Index: sys/cam/scsi/scsi_enc_ses.c >=================================================================== >--- sys/cam/scsi/scsi_enc_ses.c (revision 353698) >+++ sys/cam/scsi/scsi_enc_ses.c (working copy) >@@ -110,7 +110,7 @@ > typedef struct ses_element { > uint8_t eip; /* eip bit is set */ > uint16_t descr_len; /* length of the descriptor */ >- char *descr; /* descriptor for this object */ >+ const char *descr; /* descriptor for this object */ > struct ses_addl_status addl; /* additional status info */ > } ses_element_t; > >@@ -1977,6 +1977,33 @@ > return (0); > } > >+/* >+ * \brief Sanitize an element descriptor >+ * >+ * The SES4r3 standard, sections 3.1.2 and 6.1.10, specifies that element >+ * descriptors may only contain ASCII characters in the range 0x20 to 0x7e. >+ * But some vendors violate that rule. Ensure that we only expose compliant >+ * descriptors to userland. >+ * >+ * \param desc SES element descriptor as reported by the hardware >+ * \param len Length of desc in bytes, not necessarily including >+ * trailing NUL >+ */ >+static const char* >+ses_sanitize_elm_desc(char *desc, int len) >+{ >+ int i; >+ >+ for (i = 0; i < len; i++) { >+ if (desc[i] < 0x20 || desc[i] > 0x7e) { >+ return ("<invalid>"); >+ } else if (desc[i] == 0) { >+ break; >+ } >+ } >+ return (desc); >+} >+ > /** > * \brief Parse the descriptors for each object. > * >@@ -2061,7 +2088,8 @@ > if (length > 0) { > elmpriv = element->elm_private; > elmpriv->descr_len = length; >- elmpriv->descr = &buf[offset]; >+ elmpriv->descr = ses_sanitize_elm_desc(&buf[offset], >+ length); > } > > /* skip over the descriptor itself */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=209138">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 241929
:
209138
|
209139