[PATCH] SCSI core: always store >= 36 bytes of INQUIRY data

This patch (as810c) copies a minimum of 36 bytes of INQUIRY data, even if
the device claims that not all of them are valid.  Often badly behaved
devices put plausible data in the Vendor, Product, and Revision strings but
set the Additional Length byte to a small value.  Using potentially valid
data is certainly better than allocating a short buffer and then reading
beyond the end of it, which is what we do now.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Cc: James Bottomley <James.Bottomley@steeleye.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
index fd9e281c3bfeed4fef893cb705e7c8331011c7bd..94a274645f6f36819c29aadb3aeff7b5290581e8 100644 (file)
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -631,12 +631,22 @@ static int scsi_add_lun(struct scsi_device *sdev, unsigned char *inq_result,
         * scanning run at their own risk, or supply a user level program
         * that can correctly scan.
         */
-       sdev->inquiry = kmalloc(sdev->inquiry_len, GFP_ATOMIC);
-       if (sdev->inquiry == NULL) {
+
+       /*
+        * Copy at least 36 bytes of INQUIRY data, so that we don't
+        * dereference unallocated memory when accessing the Vendor,
+        * Product, and Revision strings.  Badly behaved devices may set
+        * the INQUIRY Additional Length byte to a small value, indicating
+        * these strings are invalid, but often they contain plausible data
+        * nonetheless.  It doesn't matter if the device sent < 36 bytes
+        * total, since scsi_probe_lun() initializes inq_result with 0s.
+        */
+       sdev->inquiry = kmemdup(inq_result,
+                               max_t(size_t, sdev->inquiry_len, 36),
+                               GFP_ATOMIC);
+       if (sdev->inquiry == NULL)
                return SCSI_SCAN_NO_RESPONSE;
-       }
 
-       memcpy(sdev->inquiry, inq_result, sdev->inquiry_len);
        sdev->vendor = (char *) (sdev->inquiry + 8);
        sdev->model = (char *) (sdev->inquiry + 16);
        sdev->rev = (char *) (sdev->inquiry + 32);