Sat Aug 19 04:27:35 2017 UTC ()
Pull up following revision(s) (requested by mrg in ticket #1485):
	sys/dev/ic/isp_netbsd.c: revision 1.89
Reject out-of-bounds channel index.
From Ilja Van Sprundel.


(snj)
diff -r1.85.2.1 -r1.85.2.1.2.1 src/sys/dev/ic/isp_netbsd.c
cvs diff -r1.85.2.1 -r1.85.2.1.2.1 src/sys/dev/ic/isp_netbsd.c (expand / switch to unified diff)

--- src/sys/dev/ic/isp_netbsd.c 2012/09/03 18:38:34 1.85.2.1
+++ src/sys/dev/ic/isp_netbsd.c 2017/08/19 04:27:35 1.85.2.1.2.1
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: isp_netbsd.c,v 1.85.2.1 2012/09/03 18:38:34 riz Exp $ */ 1/* $NetBSD: isp_netbsd.c,v 1.85.2.1.2.1 2017/08/19 04:27:35 snj Exp $ */
2/* 2/*
3 * Platform (NetBSD) dependent common attachment code for Qlogic adapters. 3 * Platform (NetBSD) dependent common attachment code for Qlogic adapters.
4 */ 4 */
5/* 5/*
6 * Copyright (C) 1997, 1998, 1999 National Aeronautics & Space Administration 6 * Copyright (C) 1997, 1998, 1999 National Aeronautics & Space Administration
7 * All rights reserved. 7 * All rights reserved.
8 * 8 *
9 * Additional Copyright (C) 2000-2007 by Matthew Jacob 9 * Additional Copyright (C) 2000-2007 by Matthew Jacob
10 * All rights reserved. 10 * All rights reserved.
11 * 11 *
12 * Redistribution and use in source and binary forms, with or without 12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions 13 * modification, are permitted provided that the following conditions
14 * are met: 14 * are met:
@@ -23,27 +23,27 @@ @@ -23,27 +23,27 @@
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
24 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
26 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
28 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 */ 33 */
34 34
35#include <sys/cdefs.h> 35#include <sys/cdefs.h>
36__KERNEL_RCSID(0, "$NetBSD: isp_netbsd.c,v 1.85.2.1 2012/09/03 18:38:34 riz Exp $"); 36__KERNEL_RCSID(0, "$NetBSD: isp_netbsd.c,v 1.85.2.1.2.1 2017/08/19 04:27:35 snj Exp $");
37 37
38#include <dev/ic/isp_netbsd.h> 38#include <dev/ic/isp_netbsd.h>
39#include <dev/ic/isp_ioctl.h> 39#include <dev/ic/isp_ioctl.h>
40#include <sys/scsiio.h> 40#include <sys/scsiio.h>
41 41
42#include <sys/timevar.h> 42#include <sys/timevar.h>
43 43
44/* 44/*
45 * Set a timeout for the watchdogging of a command. 45 * Set a timeout for the watchdogging of a command.
46 * 46 *
47 * The dimensional analysis is 47 * The dimensional analysis is
48 * 48 *
49 * milliseconds * (seconds/millisecond) * (ticks/second) = ticks 49 * milliseconds * (seconds/millisecond) * (ticks/second) = ticks
@@ -465,26 +465,30 @@ ispioctl(struct scsipi_channel *chan, u_ @@ -465,26 +465,30 @@ ispioctl(struct scsipi_channel *chan, u_
465 465
466 if (IS_SCSI(isp)) { 466 if (IS_SCSI(isp)) {
467 retval = EINVAL; 467 retval = EINVAL;
468 break; 468 break;
469 } 469 }
470 470
471 ua = *(isp_dlist_t **)addr; 471 ua = *(isp_dlist_t **)addr;
472 if (copyin(ua, &local, sizeof (isp_dlist_t))) { 472 if (copyin(ua, &local, sizeof (isp_dlist_t))) {
473 retval = EFAULT; 473 retval = EFAULT;
474 break; 474 break;
475 } 475 }
476 lim = local.count; 476 lim = local.count;
477 channel = local.channel; 477 channel = local.channel;
 478 if (channel >= isp->isp_nchan) {
 479 retval = EINVAL;
 480 break;
 481 }
478 482
479 ua = *(isp_dlist_t **)addr; 483 ua = *(isp_dlist_t **)addr;
480 uptr = &ua->wwns[0]; 484 uptr = &ua->wwns[0];
481 485
482 if (ISP_CAP_2KLOGIN(isp)) { 486 if (ISP_CAP_2KLOGIN(isp)) {
483 nphe = NPH_MAX_2K; 487 nphe = NPH_MAX_2K;
484 } else { 488 } else {
485 nphe = NPH_MAX; 489 nphe = NPH_MAX;
486 } 490 }
487 for (count = 0, nph = 0; count < lim && nph != nphe; nph++) { 491 for (count = 0, nph = 0; count < lim && nph != nphe; nph++) {
488 ISP_LOCK(isp); 492 ISP_LOCK(isp);
489 retval = isp_control(isp, ISPCTL_GET_NAMES, channel, 493 retval = isp_control(isp, ISPCTL_GET_NAMES, channel,
490 nph, &pair.wwnn, &pair.wwpn); 494 nph, &pair.wwnn, &pair.wwpn);