diff options
author | Fam Zheng <famz@redhat.com> | 2018-06-29 14:03:27 +0800 |
---|---|---|
committer | Kevin Wolf <kwolf@redhat.com> | 2018-06-29 14:20:56 +0200 |
commit | 1439b9c11002348eb80fcd3c90f07bf0f4f088dc (patch) | |
tree | 0cbfeb4b9c895027927b85690eefd4cee4056121 /block | |
parent | e06f4639d8a93703eecc3aad06c8a3e9b2ef4968 (diff) | |
download | qemu-1439b9c11002348eb80fcd3c90f07bf0f4f088dc.zip qemu-1439b9c11002348eb80fcd3c90f07bf0f4f088dc.tar.gz qemu-1439b9c11002348eb80fcd3c90f07bf0f4f088dc.tar.bz2 |
iscsi: Don't blindly use designator length in response for memcpy
Per SCSI definition the designator_length we receive from INQUIRY is 8,
12 or at most 16, but we should be careful because the remote iscsi
target may misbehave, otherwise we could have a buffer overflow.
Reported-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Diffstat (limited to 'block')
-rw-r--r-- | block/iscsi.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/block/iscsi.c b/block/iscsi.c index bc84b14..9beb06d 100644 --- a/block/iscsi.c +++ b/block/iscsi.c @@ -2226,7 +2226,7 @@ static void iscsi_populate_target_desc(unsigned char *desc, IscsiLun *lun) desc[5] = (dd->designator_type & 0xF) | ((dd->association & 3) << 4); desc[7] = dd->designator_length; - memcpy(desc + 8, dd->designator, dd->designator_length); + memcpy(desc + 8, dd->designator, MIN(dd->designator_length, 20)); desc[28] = 0; desc[29] = (lun->block_size >> 16) & 0xFF; |