Improve buffer overflow checking in scsi_command_util::ModeSelect

Signed-off-by: Klaus Kämpf <[email protected]>
PiSCSI · Apr 2, 2024 · c3f8d94 · c3f8d94
1 parent 73917bc
commit c3f8d94
Showing 1 changed file with 17 additions and 2 deletions.
diff --git a/cpp/devices/scsi_command_util.cpp b/cpp/devices/scsi_command_util.cpp
@@ -33,9 +33,17 @@ string scsi_command_util::ModeSelect(scsi_command cmd, cdb_t cdb, span<const uin
 	// Skip block descriptors
 	int offset;
 	if (cmd == scsi_command::eCmdModeSelect10) {
+        	if (length < 7) {
+			spdlog::warn("Incomplete Mode parameter header(10)");
+			throw scsi_exception(sense_key::illegal_request, asc::invalid_field_in_parameter_list);
+		}
 		offset = 8 + GetInt16(buf, 6);
 	}
 	else {
+        	if (length < 4) {
+			spdlog::warn("Incomplete Mode parameter header(6)");
+			throw scsi_exception(sense_key::illegal_request, asc::invalid_field_in_parameter_list);
+		}
 		offset = 4 + buf[3];
 	}
 	length -= offset;
@@ -44,8 +52,7 @@ string scsi_command_util::ModeSelect(scsi_command cmd, cdb_t cdb, span<const uin
 	bool has_valid_page_code = (length == 0);
 
 	// Parse the pages
-        // expect (remaining) length > 1 because we access buf[offset+1] below
-	while (length > 1) {
+	while (length > 0) {
 		// Format device page
 		if (const int page = buf[offset]; page == 0x03) {
 			if (length < 14) {
@@ -68,12 +75,20 @@ string scsi_command_util::ModeSelect(scsi_command cmd, cdb_t cdb, span<const uin
 			// OpenVMS Alpha 7.3 uses this
 			has_valid_page_code = true;
 		}
+		else if (page == 0x00) {
+			has_valid_page_code = true;
+			break; // page 0 must be last in list, might not have a size byte following
+		}
 		else {
 			stringstream s;
 			s << "Unknown MODE SELECT page code: $" << setfill('0') << setw(2) << hex << page;
 			result = s.str();
 		}
 
+		if (length < 2) { // ensure there's a size byte before accessing it
+			spdlog::warn("Current MODE SELECT page has no size");
+			throw scsi_exception(sense_key::illegal_request, asc::invalid_field_in_parameter_list);
+		}
 		// Advance to the next page
 		const int size = buf[offset + 1] + 2;