git: 7818653fd6e0 - main - cam: fix integer overflow during inquiry

[Edward Tomasz Napierala]

The branch main has been updated by trasz:

URL: https://cgit.FreeBSD.org/src/commit/?id=7818653fd6e00c3e310584723978e65674c95939

commit 7818653fd6e00c3e310584723978e65674c95939
Author:     Edward Tomasz Napierala <trasz at FreeBSD.org>
AuthorDate: 2021-05-03 13:46:11 +0000
Commit:     Edward Tomasz Napierala <trasz at FreeBSD.org>
CommitDate: 2021-05-03 14:20:17 +0000

    cam: fix integer overflow during inquiry
    
    From my understanding this could happen with iSCSI LUNs with
    unusually long names.  The bug would make CAM fail to retrieve
    the full inquiry data.  Instead of bumping the size of the local
    variable, just use a macro.
    
    Reviewed By:    imp, mav
    Sponsored by:   NetApp, Inc.
    Sponsored by:   Klara, Inc.
    X-NetApp-PR:    #50
    Differential Revision:  https://reviews.freebsd.org/D29991
---
 sys/cam/scsi/scsi_xpt.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/sys/cam/scsi/scsi_xpt.c b/sys/cam/scsi/scsi_xpt.c
index bed1f3ad1373..67b94488dff0 100644
--- a/sys/cam/scsi/scsi_xpt.c
+++ b/sys/cam/scsi/scsi_xpt.c
@@ -1210,8 +1210,6 @@ out:
 
 			if (periph_qual == SID_QUAL_LU_CONNECTED ||
 			    periph_qual == SID_QUAL_LU_OFFLINE) {
-				u_int8_t len;
-
 				/*
 				 * We conservatively request only
 				 * SHORT_INQUIRY_LEN bytes of inquiry
@@ -1222,11 +1220,9 @@ out:
 				 * the amount of information the device
 				 * is willing to give.
 				 */
-				len = inq_buf->additional_length
-				    + offsetof(struct scsi_inquiry_data,
-                                               additional_length) + 1;
 				if (softc->action == PROBE_INQUIRY
-				    && len > SHORT_INQUIRY_LENGTH) {
+				    && SID_ADDITIONAL_LENGTH(inq_buf)
+				    > SHORT_INQUIRY_LENGTH) {
 					PROBE_SET_ACTION(softc, PROBE_FULL_INQUIRY);
 					xpt_release_ccb(done_ccb);
 					xpt_schedule(periph, priority);