svn commit: r345507 - stable/11/sys/dev/pms/RefTisa/tisa/sassata/sas/ini

[David Bright]

Author: dab
Date: Mon Mar 25 17:04:14 2019
New Revision: 345507
URL: https://svnweb.freebsd.org/changeset/base/345507

Log:
  MFC r345009:
  
  Fix a scribbler in the PMS driver.
  
  The ESGL bit was left uninitialized when executing the REPORT LUNS
  ioctl. This could allow a zeroed data buffer to be treated as a
  scatter/gather list. The firmware would eventually walk past the end
  of the data buffer, potentially find what looked like a valid
  address/length pair, and write the result to semi-random memory.
  
  Obtained from:  Dell EMC Isilon
  Sponsored by:   Dell EMC Isilon

Modified:
  stable/11/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c
==============================================================================
--- stable/11/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c	Mon Mar 25 17:03:39 2019	(r345506)
+++ stable/11/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c	Mon Mar 25 17:04:14 2019	(r345507)
@@ -1874,7 +1874,9 @@ tiNumOfLunIOCTLreq(
       
     agSSPFrame->dataLength = REPORT_LUN_LEN;
     agSSPFrame->agSgl.len =	sizeof(agsaSSPCmdInfoUnit_t);
-    
+    agSSPFrame->agSgl.extReserved = 0;
+    CLEAR_ESGL_EXTEND(agSSPFrame->agSgl.extReserved);
+
     status = saSSPStart(agRoot, agIORequest, 0, agDevHandle, agRequestType,agSASRequestBody,agNULL,
     										   &ossaSSPIoctlCompleted);
     if(status != AGSA_RC_SUCCESS)