kern/155658: [amr] [patch] amr_ioctl(): call of malloc() causes memory corruption and panic

[Scott Long]

The following reply was made to PR kern/155658; it has been noted by GNATS.

From: Scott Long <scottl at samsco.org>
To: bug-followup at FreeBSD.org, longwitz at incore.de
Cc:  
Subject: Re: kern/155658: [amr] [patch] amr_ioctl(): call of malloc() causes memory corruption and panic
Date: Tue, 17 Apr 2012 14:01:21 -0600

 Is the problem that the buffer in allocated to be too big, or too small?
 
 The bug report talks about a 36 byte buffer being requested from megarc, =
 but the firmware returning 1k instead.  If this is the bug that I'm =
 thinking, then it was fixed in the linux ioctl path a few years ago.  I =
 had hoped that megarc would never be compiled and run natively on =
 FreeBSD, so I didn't fix it in the native path.
 
 The fix is to always allocate a minimum of 4k and attach it to the =
 command sent to the card, but only copy back to user land the length =
 that the ioctl requests.  This is what linux does.  It's a bug in the =
 megaraid firmware, and it's a bug in megarc, and I had hoped that LSI =
 would be better than this.  Note that the linux ioctl path in the driver =
 that I mentioned only does this as a special case when the length is 0.  =
 It sounds like it needs to be done for all cases of min(au_lenth, 4096).
 
 I'm not sure why there's a discussion on max length; if I'm not =
 understanding the problem, please let me know.