[src/trunk]: src/sys/dev/scsipi scsi(9): Handle bogus number of LUNs in SCSI_...

[riastradh <riastradh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/61845206095d
branches:  trunk
changeset: 363440:61845206095d
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Sat Mar 12 16:57:15 2022 +0000

description:
scsi(9): Handle bogus number of LUNs in SCSI_REPORT_LUNS.

Reported-by: syzbot+76ef9084533d4bccec66%syzkaller.appspotmail.com@localhost

diffstat:

 sys/dev/scsipi/scsiconf.c |  12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

diffs (47 lines):

diff -r 98cce42b129e -r 61845206095d sys/dev/scsipi/scsiconf.c
--- a/sys/dev/scsipi/scsiconf.c Sat Mar 12 16:54:17 2022 +0000
+++ b/sys/dev/scsipi/scsiconf.c Sat Mar 12 16:57:15 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: scsiconf.c,v 1.299 2022/03/12 15:32:32 riastradh Exp $ */
+/*     $NetBSD: scsiconf.c,v 1.300 2022/03/12 16:57:15 riastradh Exp $ */
 
 /*-
  * Copyright (c) 1998, 1999, 2004 The NetBSD Foundation, Inc.
@@ -48,7 +48,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: scsiconf.c,v 1.299 2022/03/12 15:32:32 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: scsiconf.c,v 1.300 2022/03/12 16:57:15 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -400,7 +400,7 @@
        uint16_t tmp;
 
        int error;
-       size_t i, rlrlen;
+       size_t i, rlrlen, rlrlenmin;
 
        memset(&replun, 0, sizeof(replun));
 
@@ -421,7 +421,7 @@
                goto end2;
        }
 
-       rlrlen = sizeof(*rlr) + sizeof(*lunp) * 1;
+       rlrlen = rlrlenmin = sizeof(*rlr) + sizeof(*lunp) * 1;
 
 again:
        rlr = kmem_zalloc(rlrlen, KM_SLEEP);
@@ -443,6 +443,10 @@
                    16383 * sizeof(*lunp));
                kmem_free(rlr, old_rlrlen);
                rlr = NULL;
+               if (rlrlen < rlrlenmin) {
+                       error = EIO;
+                       goto end;
+               }
                goto again;
        }