Hi, in spc_inquiry copying a page yor have this code data[0] = devtype; data[1] = pcode; data[2] = (vpd_pg->size >> 8); data[3] = vpd_pg->size & 0xff; memcpy(&data[4], vpd_pg->data, vpd_pg->size); len = vpd_pg->size + 4; however data points to a stack allocated buffer of 256 bytes so if vpd_pg->size is > 252 (data copyed from byte 4) you have a possible overflow. vpd_pg->size is 16 bit and you use entire length just to fill data[2] and data[3] so this seems to confirm that size could be quite big. Happily however pages are all allocate in spc.c code and the size are quite small so now it's not exploitable. I was trying supporting more scsi_id emulations (like NAA). Frediano -- To unsubscribe from this list: send the line "unsubscribe stgt" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
