[sane-devel] problem in sanei_scsi.c (and hpusbscsi)
Douglas Gilbert
dgilbert@interlog.com
Fri, 12 Apr 2002 00:05:46 -0400
Rene Rebe wrote:
> Hi peoeple.
>
> I'm currently debugging a segmentation fault in the avision backend's
> calibration code.
>
> I call:
> sanei_scsi_cmd (s->fd, &rcmd, sizeof (rcmd), calib_data, &calib_size);
>
> Where calib_data is a pointer to a a buffer of 167076 bytes and
> calib_size contains this size.
>
> But I get a segmentation fault in this sanei_scsi_req_wait (void *id)
> memcpy: arround Line 2126 (current CVS):
>
> /* if we are ok so far, copy over the return data */
> if (status == SANE_STATUS_GOOD)
> {
> if (req->dst)
> memcpy (req->dst, req->sgdata.cdb.data, nread); <<====
> if (req->dst_len)
> *req->dst_len = nread;
> }
>
> Because the code wants to copy 167112 bytes. (36 more than I
> requested, need and boyond the buffer ...). I'm using the hpusbscsi
> module here - so it might be a bug of it in the first place. But we
> really should limit the copied data to the buffer size here, like:
> length = (nread > reply_len ? reply_len : nread)
>
> Any other ideas?
Rene,
The reply_len in the old sg_header interface should be the
expected reply length _plus_ the sizeof(sg_header). It will
be unsurprising to know that sizeof(sg_header) is 36. The
returned data starts at that offset (i.e. 36 bytes into the
read() buffer).
Doug Gilbert