aboutsummaryrefslogtreecommitdiff
path: root/hw/scsi-bus.c
diff options
context:
space:
mode:
authorPaolo Bonzini <pbonzini@redhat.com>2011-08-14 14:05:49 -0700
committerBlue Swirl <blauwirbel@gmail.com>2011-08-16 19:11:51 +0000
commit8b2a04eeb95212305d3a39170e1c4bc3dbe45e8a (patch)
tree383fcc56973c43c7518e99b003c7fb670efe0f3a /hw/scsi-bus.c
parent3b6ffe50300f13240e1b46420ad05da1116df410 (diff)
downloadqemu-8b2a04eeb95212305d3a39170e1c4bc3dbe45e8a.zip
qemu-8b2a04eeb95212305d3a39170e1c4bc3dbe45e8a.tar.gz
qemu-8b2a04eeb95212305d3a39170e1c4bc3dbe45e8a.tar.bz2
scsi: do not overwrite memory on REQUEST SENSE commands with a large buffer
Other scsi_target_reqops commands were careful about not using r->cmd.xfer directly, and instead always cap it to a fixed length. This was not done for REQUEST SENSE, and this patch fixes it. Reported-by: Blue Swirl <blauwirbel@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
Diffstat (limited to 'hw/scsi-bus.c')
-rw-r--r--hw/scsi-bus.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
index 559d5a4..c3ce7df 100644
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@@ -292,7 +292,8 @@ static int32_t scsi_target_send_command(SCSIRequest *req, uint8_t *buf)
if (req->cmd.xfer < 4) {
goto illegal_request;
}
- r->len = scsi_device_get_sense(r->req.dev, r->buf, req->cmd.xfer,
+ r->len = scsi_device_get_sense(r->req.dev, r->buf,
+ MIN(req->cmd.xfer, sizeof r->buf),
(req->cmd.buf[1] & 1) == 0);
break;
default: