kern/47676: Off-by-one error in reported CD capacity means last sector cannot be read

[markk%clara.co.uk@localhost]

>Number:         47676
>Category:       kern
>Synopsis:       Off-by-one error in reported CD capacity means last sector 
>cannot be read
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Mar 21 11:15:00 +0000 2013
>Originator:     Mark
>Release:        Any after 4.0
>Organization:
>Environment:
>Description:
There is an off-by-one bug in NetBSD's CD capacity code.

For example, doing
  dd if=/dev/rcd0c of=my_cd_image.iso bs=2048
creates an image file which has the last sector missing. Also doing
  md5 /dev/rcd0c
to generate a checksum of a just-burned CD to compare with a published checksum 
will fail.

I have been testing various versions of NetBSD/amiga with the WinUAE Amiga 
emulator. In the course of that, I discovered this bug which appeared somewhere 
between NetBSD 3.1.1 and NetBSD 4.0.

The bug is in the read_cd_capacity() function in src/sys/dev/scsipi/cd.c
The bug first appeared in version 1.227. The corresponding function name in 
earlier versions was cd_size().
Compare line 1662 of version 1.226 with line 1643 of version 1.227:
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/scsipi/cd.c?annotate=1.226
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/scsipi/cd.c?annotate=1.227

1.226 line 1662:
       size = _4btol(data.addr) + 1;

1.227 line 1643:
       *size = _4btol(data.addr);

>How-To-Repeat:
Insert a CD-ROM. Use dd to read it and notice the last sector is omitted from 
the image file. Do the same with NetBSD 3.1 (or another OS) and it works 
correctly.
>Fix:
In the current version 1.310 of src/sys/dev/scsipi/cd.c the problem line is 
1821. Change that from
        *size    = _4btol(cap.addr);
to
        *size    = _4btol(cap.addr) + 1;