[PATCH 3/4] ses: fix possible desc_ptr out-of-bounds accesses in ses_enclosure_data_process

From: Tomas Henzl <thenzl@redhat.com>
To: linux-scsi@vger.kernel.org
Subject: [PATCH 3/4] ses: fix possible desc_ptr out-of-bounds accesses in ses_enclosure_data_process
Date: Mon, 30 Jan 2023 11:13:16 +0100	[thread overview]
Message-ID: <20230130101317.4862-4-thenzl@redhat.com> (raw)
In-Reply-To: <20230130101317.4862-1-thenzl@redhat.com>

Sanitize possible desc_ptr out-of-bounds accesses
in ses_enclosure_data_process.

Signed-off-by: Tomas Henzl <thenzl@redhat.com>
---
 drivers/scsi/ses.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index 896fd4f6e93d..dbfe12f63c98 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -572,15 +572,19 @@ static void ses_enclosure_data_process(struct enclosure_device *edev,
 			int max_desc_len;
 
 			if (desc_ptr) {
-				if (desc_ptr >= buf + page7_len) {
+				if (desc_ptr + 3 >= buf + page7_len) {
 					desc_ptr = NULL;
 				} else {
 					len = (desc_ptr[2] << 8) + desc_ptr[3];
 					desc_ptr += 4;
-					/* Add trailing zero - pushes into
-					 * reserved space */
-					desc_ptr[len] = '\0';
-					name = desc_ptr;
+					if (desc_ptr + len > buf + page7_len)
+						desc_ptr = NULL;
+					else {
+						/* Add trailing zero - pushes into
+						 * reserved space */
+						desc_ptr[len] = '\0';
+						name = desc_ptr;
+					}
 				}
 			}
 			if (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE ||
-- 
2.38.1

