On Tue, Aug 06, 2024 at 09:12:21PM +0200, Martin Wilck wrote:
> On Fri, 2024-08-02 at 13:26 -0400, Benjamin Marzinski wrote:
> > The ontap prioritizer functions dump_cdb() and process_sg_error()
> > both
> > incorrectly set the snprintf() limits larger than the available
> > space.
> > Instead of multiplying the number of elements to print by the size of
> > an
> > element to calculate the limit, they multiplied the number of
> > elements
> > to print by the maximum number of elements that the buffer could
> > hold.
> >
> > Fix this, and also make sure that the number of elements to print is
> > less than or equal to the maximum number that the buffer can hold.
> >
> > Signed-off-by: Benjamin Marzinski <bmarzins@xxxxxxxxxx>
> > ---
> > libmultipath/prioritizers/ontap.c | 8 ++++----
> > 1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/libmultipath/prioritizers/ontap.c
> > b/libmultipath/prioritizers/ontap.c
> > index 117886ea..28e663ac 100644
> > --- a/libmultipath/prioritizers/ontap.c
> > +++ b/libmultipath/prioritizers/ontap.c
> > @@ -39,8 +39,8 @@ static void dump_cdb(unsigned char *cdb, int size)
> > char * p = &buf[0];
> >
> > condlog(0, "- SCSI CDB: ");
> > - for (i=0; i<size; i++) {
> > - p += snprintf(p, 10*(size-i), "0x%02x ", cdb[i]);
> > + for (i = 0; i < size && i < 10; i++) {
> > + p += snprintf(p, 5*(size-i), "0x%02x ", cdb[i]);
> > }
>
> This seems incorrect, too. We should pass the remaining size of the
> buffer, which is ((10 - i) * 5 + 1), unless I am mistaken. It's bogus
> to use the "size" variable in the calculation of the remaining buffer
> size. Plus, we should break the loop if i >= 10, and check the return
> value of snprintf (if we don't, we might as well use sprintf in the
> first place).
>
> Actually, this code is horrible and we should rather use strbuf.
> Strange that none of our many compilers found this, and even coverity
> didn't.
>
> > condlog(0, "%s", buf);
> > }
> > @@ -56,8 +56,8 @@ static void process_sg_error(struct sg_io_hdr
> > *io_hdr)
> > io_hdr->host_status, io_hdr->driver_status);
> > if (io_hdr->sb_len_wr > 0) {
> > condlog(0, "- SCSI sense data: ");
> > - for (i=0; i<io_hdr->sb_len_wr; i++) {
> > - p += snprintf(p, 128*(io_hdr->sb_len_wr-i),
> > "0x%02x ",
> > + for (i = 0; i < io_hdr->sb_len_wr && i < 128; i++) {
> > + p += snprintf(p, 5*(io_hdr->sb_len_wr-i),
> > "0x%02x ",
> > io_hdr->sbp[i]);
> > }
>
> Same here, the remaining buffer size is (5 * (128 - i) + 1).
Sure. I'll send a v2.
-Ben
> Martin
>
> > condlog(0, "%s", buf);
