[5508] in linux-scsi channel archive
SCSI sr_ioctl.c memory leak if LBA is invalid
daemon@ATHENA.MIT.EDU (Alexander Feigl)
Thu Dec 31 11:20:10 1998
From: Alexander Feigl <Alexander.Feigl@gmx.de>
To: linux-scsi@vger.rutgers.edu
Date: Thu, 31 Dec 1998 09:05:09 +0100
Hello!
Some days ago I reported a little bug in the SCSI CDROM interface (sr_mod) to
the linux-scsi mailing list. Because it seems still buggy in 2.2.0pre1 I´ll
repeat it here because it should be fixed in 2.2.0.
If the CDROMREAD... ioctls of the SCSI CDROM module are called with an invalid
LBA, the SCSI buffers (which were allocated before) remain allocated forever
because there is no scsi_free() call. As far as I can see this can be fixed by
checking the LBA before scsi_malloc() is called. I´ve included a patch - have a
look at it.
Greetings
Alexander Feigl
--- linux/drivers/scsi/sr_ioctl.c Thu Dec 31 08:56:55 1998
+++ linux/drivers/scsi/sr_ioctl.c.new Thu Dec 31 09:14:32 1998
@@ -788,16 +788,17 @@
if (copy_from_user(&msf,(void*)arg,sizeof(msf)))
return -EFAULT;
- spin_lock_irqsave(&io_request_lock, flags);
- raw = scsi_malloc(2048+512);
- spin_unlock_irqrestore(&io_request_lock, flags);
- if (!(raw))
- return -ENOMEM;
lba = (((msf.cdmsf_min0 * CD_SECS) + msf.cdmsf_sec0)
* CD_FRAMES + msf.cdmsf_frame0) - CD_MSF_OFFSET;
if (lba < 0 || lba >= scsi_CDs[target].capacity)
return -EINVAL;
+
+ spin_lock_irqsave(&io_request_lock, flags);
+ raw = scsi_malloc(2048+512);
+ spin_unlock_irqrestore(&io_request_lock, flags);
+ if (!(raw))
+ return -ENOMEM;
rc = sr_read_sector(target, lba, blocksize, raw);
if (!rc)
--
Alexander Feigl E-Mail : Alexander.Feigl@gmx.de
Burachstraße 51 Homepage : http://members.tripod.com/~lonely_dreamer
D-88250 Weingarten
-
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@vger.rutgers.edu
