scsi_cd: Improve TOC access validation
- During CD probing, we read the TOC header to find the number of entries, then read the TOC itself. The header determines the number of entries, which determines the amount of data to read from the device into the softc in the CD_STATE_MEDIA_TOC_FULL state. We hard-code a limit of 99 tracks (plus one for the lead-out) in the softc, but were not validating that the size reported by the media would fit in this hard-coded limit. Kernel memory corruption could occur if not.[1] Add validation to check this, and refuse to cache the TOC if it would not fit.
- The CDIOCPLAYTRACKS ioctl uses caller provided track numbers to index into the TOC, but we only validate the starting index. Add validation of the ending index.
Also, raise the hard-coded limit from 100 tracks to 170, per a
suggestion from Ken.
Reported by: C Turt <ecturt@gmail.com> [1]
Reviewed by: ken, avg
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32803