View Single Post
Old 08 September 2016, 17:51   #7
mark_k
Registered User
 
Join Date: Aug 2004
Location:
Posts: 2,483
In scsi.cpp there is this:
Code:
static void copysense(struct scsi_data *sd)
{
	int len = sd->cmd[4];
	if (log_scsiemu)
		write_log (_T("REQUEST SENSE length %d (%d)\n"), len, sd->sense_len);
	if (len == 0)
		len = 4;
	memset(sd->buffer, 0, len);
	memcpy(sd->buffer, sd->sense, sd->sense_len > len ? len : sd->sense_len);
	if (len > 7 && sd->sense_len > 7)
		sd->buffer[7] = sd->sense_len - 8;
	if (sd->sense_len == 0)
		sd->buffer[0] = 0x70;
	showsense (sd);
	sd->data_len = len;
	scsi_clear_sense(sd);
}
So it looks like you respond with 4 bytes when CDB[4] is 0. But the first byte of the response in that case will be 0x70 not the ASC value?

And! I just noticed this from the log that B14ck W01f posted:
SCSIEMU HD 0: 08.00.9F.F9.11.05.00.00.00.00.00.00 CMDLEN=6 DATA=0000000006987430
UAEHF SCSI: out of bounds, 00000000-013FF200 + 00000000-00002200 > 00000000-01400000
-> SENSE STATUS: KEY=5 ASC=21 ASCQ=00
70.00.05.00.00.00.00.0A.00.00.00.00.21.00.00.00.00.00.
-> DATAOUT=-1 ST=2 SENSELEN=18 REPLYLEN=0
SCSIEMU HD 0: 03.00.9F.F9.11.05.00.00.00.00.00.00 CMDLEN=0 DATA=0000000000000000


Tecmar driver issues out-of-bounds READ: 08 00 9F F9 11 05
Then it issues REQUEST SENSE: 03.00.9F.F9.11.05
Notice that all CDB bytes except the first are unchanged from the previous READ command. So it seems, at least for the Tecmar case, you need to ignore CDB[4] and always return 4 bytes.
mark_k is offline  
 
Page generated in 0.04790 seconds with 9 queries