Buffer overflow in scsi_decode_lu_dev_id

[Ross Lagerwall]

Hi, I encountered a buffer overflow in smartd:

(gdb) bt
#0  0x00007f70d94031d4 in __pthread_kill_implementation () from /lib64/libc.so.6
#1  0x00007f70d93b0b8e in raise () from /lib64/libc.so.6
#2  0x00007f70d9399378 in abort () from /lib64/libc.so.6
#3  0x00007f70d939a428 in __libc_message_impl.cold () from /lib64/libc.so.6
#4  0x00007f70d947a0a9 in __fortify_fail () from /lib64/libc.so.6
#5  0x00007f70d9479a54 in __chk_fail () from /lib64/libc.so.6
#6  0x00007f70d947b135 in __snprintf_chk () from /lib64/libc.so.6
#7  0x0000555d9d10ca59 in snprintf (__fmt=0x555d9d16b101 "%02x", __n=18446744073709551614, __s=0x7ffd540faa52 "") at /usr/include/bits/stdio2.h:68
#8  scsi_decode_lu_dev_id (slen=64, transport=0x0, s=0x7ffd540faa10 "0x600a098038313577792450384a4a62750x2450384a4a62750000a09838313", blen=<optimized out>, b=0x7ffd540fac94 "\002\001") at /usr/src/debug/smartmontools-7.4-4.xs9.x86_64/scsicmds.cpp:793
#9  SCSIDeviceScan (cfg=..., state=..., scsidev=<optimized out>, prev_cfgs=prev_cfgs@entry=0x7ffd54100800) at /usr/src/debug/smartmontools-7.4-4.xs9.x86_64/smartd.cpp:2462
#10 0x0000555d9d11420a in register_device (prev_cfgs=<optimized out>, dev=..., state=..., cfg=...) at /usr/src/debug/smartmontools-7.4-4.xs9.x86_64/smartd.cpp:5604
#11 register_devices (conf_entries=..., scanned_devs=..., configs=..., states=..., devices=...) at /usr/src/debug/smartmontools-7.4-4.xs9.x86_64/smartd.cpp:5694
#12 0x0000555d9d11d8a1 in main_worker (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/smartmontools-7.4-4.xs9.x86_64/smartd.cpp:5792
#13 0x0000555d9d105ac2 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/smartmontools-7.4-4.xs9.x86_64/smartd.cpp:5942 

It is triggered by a device with the following VPD 0x83 page:

$ sg_vpd -p 0x83 /dev/sdb
Device Identification VPD page:
  Addressed logical unit:
    designator type: T10 vendor identification,  code set: ASCII
      vendor id: NETAPP  
      vendor specific:  LUN 815wy$P8JJbu       
    designator type: NAA,  code set: Binary
      0x600a098038313577792450384a4a6275
    designator type: EUI-64 based,  code set: Binary
      0x2450384a4a62750000a0983831357779
  Target port:
    designator type: NAA,  code set: Binary
      0x600a098000000001200500a098f5f6d0
    designator type: Relative target port,  code set: Binary
      Relative target port: 0x12
    designator type: Target port group,  code set: Binary
      Target port group: 0x3e8
  Target device that contains addressed lu:
    designator type: SCSI name string,  code set: UTF-8
      SCSI name string:
      naa.600A098038313577792450384A4A626E

$ sg_vpd --hex -p 0x83 /dev/sdb
Device Identification VPD page:
 00     00 83 00 9c 02 01 00 20  4e 45 54 41 50 50 20 20    ....... NETAPP  
 10     20 4c 55 4e 20 38 31 35  77 79 24 50 38 4a 4a 62     LUN 815wy$P8JJb
 20     75 20 20 20 20 20 20 20  01 03 00 10 60 0a 09 80    u       ....`...
 30     38 31 35 77 79 24 50 38  4a 4a 62 75 01 02 00 10    815wy$P8JJbu....
 40     24 50 38 4a 4a 62 75 00  00 a0 98 38 31 35 77 79    $P8JJbu....815wy
 50     01 13 00 10 60 0a 09 80  00 00 00 01 20 05 00 a0    ....`....... ...
 60     98 f5 f6 d0 01 14 00 04  00 00 00 12 01 15 00 04    ................
 70     00 00 03 e8 03 28 00 28  6e 61 61 2e 36 30 30 41    .....(.(naa.600A
 80     30 39 38 30 33 38 33 31  33 35 37 37 37 39 32 34    0980383135777924
 90     35 30 33 38 34 41 34 41  36 32 36 45 00 00 00 00    50384A4A626E....

I have attached a couple of patches to fix the issue.