From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id E48A175151 for ; Wed, 21 Apr 2021 12:34:29 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id D1C09D6D9 for ; Wed, 21 Apr 2021 12:33:59 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 5F34CD6B9 for ; Wed, 21 Apr 2021 12:33:55 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id A13D9425E3 for ; Wed, 21 Apr 2021 12:24:57 +0200 (CEST) From: Dominik Csapak To: pbs-devel@lists.proxmox.com Date: Wed, 21 Apr 2021 12:24:57 +0200 Message-Id: <20210421102457.12745-1-d.csapak@proxmox.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.000 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH proxmox-backup] tape/changer/sg_pt_changer: read whole descriptor size for each entry X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Apr 2021 10:34:29 -0000 Some changer seem to append more data than we expect, but correctly annotates that size in the subheader. For each descriptor entry, read as much as the size given in the subheader (or until the end of the reader), else our position in the reader is wrong for the next entry, and we will parse incorrect data. Signed-off-by: Dominik Csapak --- src/tape/changer/sg_pt_changer.rs | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/tape/changer/sg_pt_changer.rs b/src/tape/changer/sg_pt_changer.rs index 785fc9ce..31c38576 100644 --- a/src/tape/changer/sg_pt_changer.rs +++ b/src/tape/changer/sg_pt_changer.rs @@ -593,6 +593,8 @@ fn decode_element_status_page( break; } + let len_before = reader.len(); + match subhead.element_type_code { 1 => { let desc: TrasnsportDescriptor = unsafe { reader.read_be_value()? }; @@ -693,6 +695,19 @@ fn decode_element_status_page( } code => bail!("got unknown element type code {}", code), } + + // we have to consume the whole descriptor size, else + // our position in the reader is not correct + let len_after = reader.len(); + let have_read = len_before - len_after; + let desc_len = subhead.descriptor_length as usize; + if desc_len > have_read { + let mut left_to_read = desc_len - have_read; + if left_to_read > len_after { + left_to_read = len_after; // reader has not enough data? + } + let _ = reader.read_exact_allocated(left_to_read)?; + } } } -- 2.20.1