ctl_report_supported_opcodes: Handle invalid requested service action

Service actions are only valid up to 31 as they are encoded in the low 5 bits of byte 1 in CDBs. Fail requests with a requested service action of 32 or higher with an INVALID FIELD IN COMMAND specifying byte 4 as the illegal byte. Reviewed by: asomers Differential Revision: https://reviews.freebsd.org/D46611
bsdjhb · Oct 21, 2024 · 0e3a211 · 0e3a211
1 parent 5201dec
commit 0e3a211
Showing 1 changed file with 11 additions and 7 deletions.
diff --git a/sys/cam/ctl/ctl.c b/sys/cam/ctl/ctl.c
@@ -7461,16 +7461,20 @@ ctl_report_supported_opcodes(struct ctl_scsiio *ctsio)
 		total_len = sizeof(struct scsi_report_supported_opcodes_one) + 32;
 		break;
 	case RSO_OPTIONS_OC_SA:
-		if ((ctl_cmd_table[opcode].flags & CTL_CMD_FLAG_SA5) == 0 ||
-		    service_action >= 32) {
+		if ((ctl_cmd_table[opcode].flags & CTL_CMD_FLAG_SA5) == 0) {
 			goto invalid_options;
 		}
-		total_len = sizeof(struct scsi_report_supported_opcodes_one) + 32;
-		break;
+		/* FALLTHROUGH */
 	case RSO_OPTIONS_OC_ASA:
-		if ((ctl_cmd_table[opcode].flags & CTL_CMD_FLAG_SA5) != 0 &&
-		    service_action >= 32) {
-			goto invalid_options;
+		if (service_action >= 32) {
+			ctl_set_invalid_field(/*ctsio*/ ctsio,
+					      /*sks_valid*/ 1,
+					      /*command*/ 1,
+					      /*field*/ 4,
+					      /*bit_valid*/ 0,
+					      /*bit*/ 0);
+			ctl_done((union ctl_io *)ctsio);
+			return (CTL_RETVAL_COMPLETE);
 		}
 		total_len = sizeof(struct scsi_report_supported_opcodes_one) + 32;
 		break;