[Stgt-devel] Patches for MMC and fix for serious crash bug in spc_mode_sense()

ronnie sahlberg ronniesahlberg
Fri May 2 14:55:22 CEST 2008

Please disregard the previous pathset

Please find attached a patchset that contains

0001 fix a bug in mode sense 10  where the data length is 1 too little
0002 dont set modepages in the example, these pages are created by
default when the lun is created anyway
0003 add modepage for mm capabilities
0004 fix crashbug in spc_mode_sense()    if an application is asking
for mode sense and specifies a small allocation length,
spc_mode_sense() and build_mode_page() would write beyond the end of
the data array and overwrite other things causing tgtd to crash
has probably not been seen before since prior to 0003 above, there
hasnt been any very large mode pages   and tgtd just must have been
0005 mode page for write parameters
0006 example on how to use dvdrecorder under linux with the emulation
0007 final fix so that both windows dvddecrypter and also linux
dvdrecorder can write to the emulated lun

please apply

ronnie sahlberg

On Fri, May 2, 2008 at 2:06 PM, ronnie sahlberg
<ronniesahlberg at gmail.com> wrote:
> Please find attached a few smallish patches,
> 0001: Fix a "length too small by one" bug in mode sense 10.
> 0002 : we dont need to specify these mode pages in the mmc example
> since they are set by default when the lun is initialized
> 0003 : add the modepage for MM capabilities (this mode page was what
> discovered the bug below)
> 0004: this fixes a serious crash bug in spc_mode_sense. the bug is
> triggered when an initiator is specifying a small alloc_len but the
> modepage is big.
> This causes the memcpy() in build_mode_page() overwrite other vital
> memory and tgtd crashes.
> I tried to address it for modesense10 only.   The same bug still
> exists for the modesense6 path.
> Please   if someone more comfortable than I can look at the issue and
> do a better/more correct patch for this.
> This is a pretty important bug to fix.
> regards
> ronnie sahlberg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mmc.diff.tgz
Type: application/x-gzip
Size: 4537 bytes
Desc: not available
Url : https://lists.berlios.de/pipermail/stgt-devel/attachments/20080502/18939e9c/attachment.gz 

More information about the stgt mailing list