[sane-devel] problem in sanei_scsi.c (and hpusbscsi)
Rene Rebe
rene.rebe@gmx.net
Fri, 12 Apr 2002 01:36:01 +0200 (CEST)
Hi peoeple.
I'm currently debugging a segmentation fault in the avision backend's
calibration code.
I call:
sanei_scsi_cmd (s->fd, &rcmd, sizeof (rcmd), calib_data, &calib_size);
Where calib_data is a pointer to a a buffer of 167076 bytes and
calib_size contains this size.
But I get a segmentation fault in this sanei_scsi_req_wait (void *id)
memcpy: arround Line 2126 (current CVS):
/* if we are ok so far, copy over the return data */
if (status == SANE_STATUS_GOOD)
{
if (req->dst)
memcpy (req->dst, req->sgdata.cdb.data, nread); <<====
if (req->dst_len)
*req->dst_len = nread;
}
Because the code wants to copy 167112 bytes. (36 more than I
requested, need and boyond the buffer ...). I'm using the hpusbscsi
module here - so it might be a bug of it in the first place. But we
really should limit the copied data to the buffer size here, like:
length = (nread > reply_len ? reply_len : nread)
Any other ideas?
k33p h4ck1n6
René
--
René Rebe (Registered Linux user: #248718 <http://counter.li.org>)
eMail: rene.rebe@gmx.net
rene@rocklinux.org
Homepage: http://drocklinux.dyndns.org/rene/
Anyone sending unwanted advertising e-mail to this address will be
charged $25 for network traffic and computing time. By extracting my
address from this message or its header, you agree to these terms.