scsi: ses: Fix possible desc_ptr out-of-bounds accesses

Sanitize possible desc_ptr out-of-bounds accesses in ses_enclosure_data_process(). Link: https://lore.kernel.org/r/20230202162451.15346-4-thenzl@redhat.com Cc: stable@vger.kernel.org Signed-off-by: N Tomas Henzl <thenzl@redhat.com> Signed-off-by: N Martin K. Petersen <martin.petersen@oracle.com>

scsi: ses: Fix possible desc_ptr out-of-bounds accesses
Sanitize possible desc_ptr out-of-bounds accesses in ses_enclosure_data_process(). Link: https://lore.kernel.org/r/20230202162451.15346-4-thenzl@redhat.com Cc: stable@vger.kernel.org Signed-off-by: N Tomas Henzl <thenzl@redhat.com> Signed-off-by: N Martin K. Petersen <martin.petersen@oracle.com>
801ab13d · Tomas Henzl · Martin K. Petersen · db95d4df · 801ab13d
隐藏空白更改
内联并排

Showing with 9 addition and 5 deletion

drivers/scsi/ses.c drivers/scsi/ses.c +9 -5

未找到文件。
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -578,15 +578,19 @@ static void ses_enclosure_data_process(struct enclosure_device *edev,
 			int max_desc_len;

 			if (desc_ptr) {
-				if (desc_ptr >= buf + page7_len) {
+				if (desc_ptr + 3 >= buf + page7_len) {
 					desc_ptr = NULL;
 				} else {
 					len = (desc_ptr[2] << 8) + desc_ptr[3];
 					desc_ptr += 4;
-					/* Add trailing zero - pushes into
-					 * reserved space */
-					desc_ptr[len] = '\0';
-					name = desc_ptr;
+					if (desc_ptr + len > buf + page7_len)
+						desc_ptr = NULL;
+					else {
+						/* Add trailing zero - pushes into
+						 * reserved space */
+						desc_ptr[len] = '\0';
+						name = desc_ptr;
+					}
 				}
 			}
 			if (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE ||