[2128] in linux-scsi channel archive
Possible bug in sg.c
daemon@ATHENA.MIT.EDU (Ken Aaker)
Tue Jul 8 17:58:56 1997
Date: Tue, 08 Jul 1997 16:41:45 -0500
From: Ken Aaker <kenaaker@sparc.isl.net>
To: linux-scsi@vger.rutgers.edu
I just ran across what seems to be a nasty problem using the generic
SCSI driver to work with an HP Scanner.
I made a mistake setting the reply length field in a packet header that
I was using to do a write with and it crashed my machine hard
(repeatedly...) Here's the trace (it isn't the exact trace, but its
pretty close..
SCSI command out block
00000000 32000000 A4000000 00000000 00000000 a|2...$...........|
00000010 00000000 00000000 00000000 00000000 a|................|
00000020 00000000 0A000000 08001B2A 73313032 a|...........*s102|
00000030 3445 a|4E |
The actual data area was not 0xA4 bytes long, but I don't think that's
actually what the problem was anyway.. I looked through
/usr/src/linux/drivers/scsi/sg.c and it seemed to be copying stuff into
the reply area buffer, using the reply length?? If it is helpful, I can
set stuff up to recreate the exact crash.
