From 6136b29515f8ad4771c548bb2506cc0297b9107e Mon Sep 17 00:00:00 2001
From: uweseimet <48174652+uweseimet@users.noreply.github.com>
Date: Fri, 16 Jul 2021 02:52:01 +0200
Subject: [PATCH] Daynaport: Fixed potential buffer overflow and removed
 INQUIRY excess bytes (#123)

* Fixed potential buffer overflow and removed INQUIRY excess bytes

* Daynaport: Report an error for LUNs > 0
---
 src/raspberrypi/devices/scsi_daynaport.cpp | 33 ++++++++++++----------
 src/raspberrypi/devices/scsi_daynaport.h   | 24 +++-------------
 2 files changed, 22 insertions(+), 35 deletions(-)

diff --git a/src/raspberrypi/devices/scsi_daynaport.cpp b/src/raspberrypi/devices/scsi_daynaport.cpp
index e96504aa..b21a709d 100644
--- a/src/raspberrypi/devices/scsi_daynaport.cpp
+++ b/src/raspberrypi/devices/scsi_daynaport.cpp
@@ -117,10 +117,8 @@ BOOL FASTCALL SCSIDaynaPort::Open(const Filepath& path, BOOL attn)
 //	INQUIRY
 //
 //---------------------------------------------------------------------------
-int FASTCALL SCSIDaynaPort::Inquiry(
-	const DWORD *cdb, BYTE *buffer, DWORD major, DWORD minor)
+int FASTCALL SCSIDaynaPort::Inquiry(const DWORD *cdb, BYTE *buffer, DWORD major, DWORD minor)
 {
-	DWORD allocation_length;
 	// scsi_cdb_6_byte_t command;
 	// memcpy(&command,cdb,sizeof(command));
 
@@ -129,7 +127,7 @@ int FASTCALL SCSIDaynaPort::Inquiry(
 	ASSERT(cdb[0] == 0x12);
 
 	//allocation_length = command->length;
-	allocation_length = cdb[4] + (((DWORD)cdb[3]) << 8);
+	DWORD allocation_length = cdb[4] + (((DWORD)cdb[3]) << 8);
 	// if(allocation_length != command.length){
 	// 	LOGDEBUG("%s CDB: %02X %02X %02X %02X %02X %02X", __PRETTY_FUNCTION__, (unsigned int)cdb[0], (unsigned int)cdb[1], (unsigned int)cdb[2], (unsigned int)cdb[3], (unsigned int)cdb[4], (unsigned int)cdb[5] );
 	// 	LOGWARN(":::::::::: Expected allocation length %04X but found %04X", (unsigned int)allocation_length, (unsigned int)command.length);
@@ -138,20 +136,25 @@ int FASTCALL SCSIDaynaPort::Inquiry(
 
 	LOGTRACE("%s Inquiry with major %ld, minor %ld. Allocation length: %d",__PRETTY_FUNCTION__, major, minor, (int)allocation_length);
 
-	if(cdb[1] & 0x3) {
-		LOGWARN("Tiny SCSI Emulator says this is an invalid request");
+	// Work-around in order to report an error for LUNs > 0
+	DWORD lun = (cdb[1] >> 5) & 0x07;
+	if (lun) {
+		disk.code = DISK_INVALIDLUN;
+		return -1;
 	}
 
-	if(allocation_length > 4){
-		// Copy the pre-canned response
-		memcpy(buffer, m_target_ethernet_inquiry_response, allocation_length);
-		// Set the size
-		//buffer[4] = (BYTE)((allocation_length - 7) & 0xFF);
-		// The inquiry response format only allows for a 1 byte 'additional size' field
-		if(allocation_length > 0xFF){
-			LOGWARN("%s The inquiry format only allows for a maximum of %d (0xFF + 4) bytes",\
-				__PRETTY_FUNCTION__, (int)0xFF + 4)
+	if(cdb[1] & 0x1) {
+		LOGERROR("EVPD bit is not supported");
+		return -1;
+	}
+
+	if (allocation_length > 4){
+		if (allocation_length > sizeof(m_daynaport_inquiry_response)) {
+			allocation_length = sizeof(m_daynaport_inquiry_response);
 		}
+
+		// Copy the pre-canned response
+		memcpy(buffer, m_daynaport_inquiry_response, allocation_length);
 	}
 
 	LOGTRACE("response size is %d", (int)allocation_length);
diff --git a/src/raspberrypi/devices/scsi_daynaport.h b/src/raspberrypi/devices/scsi_daynaport.h
index 8c682cc0..ab41b1b8 100644
--- a/src/raspberrypi/devices/scsi_daynaport.h
+++ b/src/raspberrypi/devices/scsi_daynaport.h
@@ -153,40 +153,24 @@ private:
 
 
 	// Basic data
-	// buf[0] ... CD-ROM Device
-	// buf[1] ... Removable
+	// buf[0] ... Processor Device
+	// buf[1] ... Not removable
 	// buf[2] ... SCSI-2 compliant command system
 	// buf[3] ... SCSI-2 compliant Inquiry response
 	// buf[4] ... Inquiry additional data
 	//http://www.bitsavers.org/pdf/apple/scsi/dayna/daynaPORT/pocket_scsiLINK/pocketscsilink_inq.png
-	const uint8_t m_target_ethernet_inquiry_response[255] =  {
+	const uint8_t m_daynaport_inquiry_response[44] =  {
 		0x03, 0x00, 0x01, 0x00, // 4 bytes
 		0x1E, 0x00, 0x00, 0x00, // 4 bytes
 		// Vendor ID (8 Bytes)
 		 'D','a','y','n','a',' ',' ',' ',
-		//'D','A','Y','N','A','T','R','N',
 		// Product ID (16 Bytes)
 		'S','C','S','I','/','L','i','n',
 		'k',' ',' ',' ',' ',' ',' ',' ',
 		// Revision Number (4 Bytes)
 		'1','.','4','a',
 		// Firmware Version (8 Bytes)
-		0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-		// Data
-		0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00, //16 bytes
-		0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00, //16 bytes
-		0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00, //16 bytes
-		0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00, //16 bytes
-		0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00, //16 bytes
-		0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00, //16 bytes
-		0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x80,0x80,0xBA, //16 bytes
-		0x00,0x00,0xC0,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00, //16 bytes
-		0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00, //16 bytes
-		0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00, //16 bytes
-		0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x81,    0x00,0x00,0x00,0x00, //16 bytes
-		0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00, //16 bytes
-		0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00,    0x00,0x00,0x00,0x00, //16 bytes
-		0x00,0x00,0x00 //3 bytes
+		0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
 	};