On Mon, Apr 8, 2024, at 17:59, Dan Carpenter wrote:
> On Mon, Apr 08, 2024 at 04:45:55PM +0200, Arnd Bergmann wrote:
>> On Thu, Mar 28, 2024, at 17:35, Dan Carpenter wrote:
>> >> if (sendbytes > 8) {
>> >> memcpy(buf, inquiry_buf, 8);
>> >> - strncpy(buf + 8, inquiry_string, sendbytes - 8);
>> >> + memcpy(buf + 8, inquiry_string, min(sendbytes, 36) - 8);
>> >
>> > I think your math is off. The string is 29 characters + NUL. So it
>> > should be "min(sendbytes, 38) - 8". You're chopping off the space and
>> > the NUL terminator.
>> >
>> > This only affects pro_formatter_flag code...
>>
>> The extra two bytes were clearly a mistake in the original version
>> at the time it got added to drivers/staging. Note how the code
>> immediately below it would overwrite the space and NUL byte again:
>>
>> if (pro_formatter_flag) {
>> if (sendbytes > 36)
>> memcpy(buf + 36, formatter_inquiry_str, sendbytes - 36);
>> }
>>
>
> Ah. Okay. Fair enough.
>
> I do think this code is really suspect... What is the point of allowing
> sendbytes < 36? But that's not related to your patch.
As far as I can tell, the driver tries to emulate the behavior
or normal scsi commands that could be issued from userspace through
SGIO with a short length. drivers/ata/libata-scsi.c has code to
handle INQUIRY as well that is somewhat similar but also different
enough that I don't trust the rts5208 version of it.
On a separate note, I just noticed that I forgot to put
the driver name into the subject line, which I've fixed
up for v2 as well now.
Arnd
