git: 9a2a95eaa6b9 - stable/14 - ctl_report_supported_opcodes: Handle invalid requested service action
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 01 Dec 2024 04:57:03 UTC
The branch stable/14 has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=9a2a95eaa6b9321fae5044a27f23624bfb2ad159 commit 9a2a95eaa6b9321fae5044a27f23624bfb2ad159 Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2024-10-21 14:53:48 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2024-12-01 02:46:05 +0000 ctl_report_supported_opcodes: Handle invalid requested service action Service actions are only valid up to 31 as they are encoded in the low 5 bits of byte 1 in CDBs. Fail requests with a requested service action of 32 or higher with an INVALID FIELD IN COMMAND specifying byte 4 as the illegal byte. Reviewed by: asomers Differential Revision: https://reviews.freebsd.org/D46611 (cherry picked from commit 0e3a211961014e0991a54f583b2866ac19ed0e76) --- sys/cam/ctl/ctl.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/sys/cam/ctl/ctl.c b/sys/cam/ctl/ctl.c index 1a1a27ae16dd..f22b6ae924bc 100644 --- a/sys/cam/ctl/ctl.c +++ b/sys/cam/ctl/ctl.c @@ -7499,16 +7499,20 @@ ctl_report_supported_opcodes(struct ctl_scsiio *ctsio) total_len = sizeof(struct scsi_report_supported_opcodes_one) + 32; break; case RSO_OPTIONS_OC_SA: - if ((ctl_cmd_table[opcode].flags & CTL_CMD_FLAG_SA5) == 0 || - service_action >= 32) { + if ((ctl_cmd_table[opcode].flags & CTL_CMD_FLAG_SA5) == 0) { goto invalid_options; } - total_len = sizeof(struct scsi_report_supported_opcodes_one) + 32; - break; + /* FALLTHROUGH */ case RSO_OPTIONS_OC_ASA: - if ((ctl_cmd_table[opcode].flags & CTL_CMD_FLAG_SA5) != 0 && - service_action >= 32) { - goto invalid_options; + if (service_action >= 32) { + ctl_set_invalid_field(/*ctsio*/ ctsio, + /*sks_valid*/ 1, + /*command*/ 1, + /*field*/ 4, + /*bit_valid*/ 0, + /*bit*/ 0); + ctl_done((union ctl_io *)ctsio); + return (CTL_RETVAL_COMPLETE); } total_len = sizeof(struct scsi_report_supported_opcodes_one) + 32; break;