tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

[SCSI] fusion - bug fix stack overflow in mptbase

Bug fix for stack overflow in EventDescriptionStr, (a function
for debuging firmware events). We allocated 50 bytes on local stack
for buff[], however there are places in the code where we've attempted
copying in greater than 50 bytes into buff[].

Signed-off-by: Eric Moore <Eric.Moore@lsil.com>
Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>

authored by Eric Moore and committed by James Bottomley 509e5e5d f2536cbd

+37 -23
unified split
+37 -23
drivers/message/fusion/mptbase.c
··· 5735 5735 return rc; 5736 5736 } 5737 5737 5738 + # define EVENT_DESCR_STR_SZ 100 5739 + 5738 5740 /*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/ 5739 5741 static void 5740 5742 EventDescriptionStr(u8 event, u32 evData0, char *evStr) 5741 5743 { 5742 - char *ds; 5743 - char buf[50]; 5744 + char *ds = NULL; 5744 5745 5745 5746 switch(event) { 5746 5747 case MPI_EVENT_NONE: ··· 5778 5777 if (evData0 == MPI_EVENT_LOOP_STATE_CHANGE_LIP) 5779 5778 ds = "Loop State(LIP) Change"; 5780 5779 else if (evData0 == MPI_EVENT_LOOP_STATE_CHANGE_LPE) 5781 - ds = "Loop State(LPE) Change"; /* ??? */ 5780 + ds = "Loop State(LPE) Change"; /* ??? */ 5782 5781 else 5783 - ds = "Loop State(LPB) Change"; /* ??? */ 5782 + ds = "Loop State(LPB) Change"; /* ??? */ 5784 5783 break; 5785 5784 case MPI_EVENT_LOGOUT: 5786 5785 ds = "Logout"; ··· 5846 5845 u8 ReasonCode = (u8)(evData0 >> 16); 5847 5846 switch (ReasonCode) { 5848 5847 case MPI_EVENT_SAS_DEV_STAT_RC_ADDED: 5849 - sprintf(buf,"SAS Device Status Change: Added: id=%d", id); 5848 + snprintf(evStr, EVENT_DESCR_STR_SZ, 5849 + "SAS Device Status Change: Added: id=%d", id); 5850 5850 break; 5851 5851 case MPI_EVENT_SAS_DEV_STAT_RC_NOT_RESPONDING: 5852 - sprintf(buf,"SAS Device Status Change: Deleted: id=%d", id); 5852 + snprintf(evStr, EVENT_DESCR_STR_SZ, 5853 + "SAS Device Status Change: Deleted: id=%d", id); 5853 5854 break; 5854 5855 case MPI_EVENT_SAS_DEV_STAT_RC_SMART_DATA: 5855 - sprintf(buf,"SAS Device Status Change: SMART Data: id=%d", id); 5856 + snprintf(evStr, EVENT_DESCR_STR_SZ, 5857 + "SAS Device Status Change: SMART Data: id=%d", 5858 + id); 5856 5859 break; 5857 5860 case MPI_EVENT_SAS_DEV_STAT_RC_NO_PERSIST_ADDED: 5858 - sprintf(buf,"SAS Device Status Change: No Persistancy Added: id=%d", id); 5861 + snprintf(evStr, EVENT_DESCR_STR_SZ, 5862 + "SAS Device Status Change: No Persistancy " 5863 + "Added: id=%d", id); 5859 5864 break; 5860 5865 default: 5861 - sprintf(buf,"SAS Device Status Change: Unknown: id=%d", id); 5862 - break; 5866 + snprintf(evStr, EVENT_DESCR_STR_SZ, 5867 + "SAS Device Status Change: Unknown: id=%d", id); 5868 + break; 5863 5869 } 5864 - ds = buf; 5865 5870 break; 5866 5871 } 5867 5872 case MPI_EVENT_ON_BUS_TIMER_EXPIRED: ··· 5890 5883 MPI_EVENT_SAS_PLS_LR_CURRENT_SHIFT; 5891 5884 switch (LinkRates) { 5892 5885 case MPI_EVENT_SAS_PLS_LR_RATE_UNKNOWN: 5893 - sprintf(buf,"SAS PHY Link Status: Phy=%d:" 5886 + snprintf(evStr, EVENT_DESCR_STR_SZ, 5887 + "SAS PHY Link Status: Phy=%d:" 5894 5888 " Rate Unknown",PhyNumber); 5895 5889 break; 5896 5890 case MPI_EVENT_SAS_PLS_LR_RATE_PHY_DISABLED: 5897 - sprintf(buf,"SAS PHY Link Status: Phy=%d:" 5891 + snprintf(evStr, EVENT_DESCR_STR_SZ, 5892 + "SAS PHY Link Status: Phy=%d:" 5898 5893 " Phy Disabled",PhyNumber); 5899 5894 break; 5900 5895 case MPI_EVENT_SAS_PLS_LR_RATE_FAILED_SPEED_NEGOTIATION: 5901 - sprintf(buf,"SAS PHY Link Status: Phy=%d:" 5896 + snprintf(evStr, EVENT_DESCR_STR_SZ, 5897 + "SAS PHY Link Status: Phy=%d:" 5902 5898 " Failed Speed Nego",PhyNumber); 5903 5899 break; 5904 5900 case MPI_EVENT_SAS_PLS_LR_RATE_SATA_OOB_COMPLETE: 5905 - sprintf(buf,"SAS PHY Link Status: Phy=%d:" 5901 + snprintf(evStr, EVENT_DESCR_STR_SZ, 5902 + "SAS PHY Link Status: Phy=%d:" 5906 5903 " Sata OOB Completed",PhyNumber); 5907 5904 break; 5908 5905 case MPI_EVENT_SAS_PLS_LR_RATE_1_5: 5909 - sprintf(buf,"SAS PHY Link Status: Phy=%d:" 5906 + snprintf(evStr, EVENT_DESCR_STR_SZ, 5907 + "SAS PHY Link Status: Phy=%d:" 5910 5908 " Rate 1.5 Gbps",PhyNumber); 5911 5909 break; 5912 5910 case MPI_EVENT_SAS_PLS_LR_RATE_3_0: 5913 - sprintf(buf,"SAS PHY Link Status: Phy=%d:" 5911 + snprintf(evStr, EVENT_DESCR_STR_SZ, 5912 + "SAS PHY Link Status: Phy=%d:" 5914 5913 " Rate 3.0 Gpbs",PhyNumber); 5915 5914 break; 5916 5915 default: 5917 - sprintf(buf,"SAS PHY Link Status: Phy=%d", PhyNumber); 5916 + snprintf(evStr, EVENT_DESCR_STR_SZ, 5917 + "SAS PHY Link Status: Phy=%d", PhyNumber); 5918 5918 break; 5919 5919 } 5920 - ds = buf; 5921 5920 break; 5922 5921 } 5923 5922 case MPI_EVENT_SAS_DISCOVERY_ERROR: ··· 5932 5919 case MPI_EVENT_IR_RESYNC_UPDATE: 5933 5920 { 5934 5921 u8 resync_complete = (u8)(evData0 >> 16); 5935 - sprintf(buf,"IR Resync Update: Complete = %d:",resync_complete); 5936 - ds = buf; 5922 + snprintf(evStr, EVENT_DESCR_STR_SZ, 5923 + "IR Resync Update: Complete = %d:",resync_complete); 5937 5924 break; 5938 5925 } 5939 5926 case MPI_EVENT_IR2: ··· 5986 5973 ds = "Unknown"; 5987 5974 break; 5988 5975 } 5989 - strcpy(evStr,ds); 5976 + if (ds) 5977 + strncpy(evStr, ds, EVENT_DESCR_STR_SZ); 5990 5978 } 5991 5979 5992 5980 /*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/ ··· 6009 5995 int ii; 6010 5996 int r = 0; 6011 5997 int handlers = 0; 6012 - char evStr[100]; 5998 + char evStr[EVENT_DESCR_STR_SZ]; 6013 5999 u8 event; 6014 6000 6015 6001 /*