From 58f18b3579e6863ea56ea6a08de4c1658ae1a0ab Mon Sep 17 00:00:00 2001 From: dab Date: Mon, 25 Mar 2019 17:04:33 +0000 Subject: [PATCH] MFC r345009: Fix a scribbler in the PMS driver. The ESGL bit was left uninitialized when executing the REPORT LUNS ioctl. This could allow a zeroed data buffer to be treated as a scatter/gather list. The firmware would eventually walk past the end of the data buffer, potentially find what looked like a valid address/length pair, and write the result to semi-random memory. Obtained from: Dell EMC Isilon Sponsored by: Dell EMC Isilon git-svn-id: svn://svn.freebsd.org/base/stable/10@345508 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c b/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c index c7d0ca085..15b83e9e2 100644 --- a/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c +++ b/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c @@ -1874,7 +1874,9 @@ tiNumOfLunIOCTLreq( agSSPFrame->dataLength = REPORT_LUN_LEN; agSSPFrame->agSgl.len = sizeof(agsaSSPCmdInfoUnit_t); - + agSSPFrame->agSgl.extReserved = 0; + CLEAR_ESGL_EXTEND(agSSPFrame->agSgl.extReserved); + status = saSSPStart(agRoot, agIORequest, 0, agDevHandle, agRequestType,agSASRequestBody,agNULL, &ossaSSPIoctlCompleted); if(status != AGSA_RC_SUCCESS) -- 2.45.0