diff options
| author | John Millikin <john@john-millikin.com> | 2022-08-17 14:34:58 +0900 |
|---|---|---|
| committer | Paolo Bonzini <pbonzini@redhat.com> | 2022-09-01 07:42:37 +0200 |
| commit | fe9d8927e265fd723a6dc87cd6d220f4677dbe1f (patch) | |
| tree | 0e2d306704d29e6a06cc10b7a320afcbb31279a1 /hw/scsi/scsi-generic.c | |
| parent | c6e51f1bb28ed762d2039c063cbb71a8ad29762d (diff) | |
| download | qemu-fe9d8927e265fd723a6dc87cd6d220f4677dbe1f.zip qemu-fe9d8927e265fd723a6dc87cd6d220f4677dbe1f.tar.gz qemu-fe9d8927e265fd723a6dc87cd6d220f4677dbe1f.tar.bz2 | |
scsi: Add buf_len parameter to scsi_req_new()
When a SCSI command is received from the guest, the CDB length implied
by the first byte might exceed the number of bytes the guest sent. In
this case scsi_req_new() will read uninitialized data, causing
unpredictable behavior.
Adds the buf_len parameter to scsi_req_new() and plumbs it through the
call stack.
Signed-off-by: John Millikin <john@john-millikin.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1127
Message-Id: <20220817053458.698416-1-john@john-millikin.com>
[Fill in correct length for adapters other than ESP. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'hw/scsi/scsi-generic.c')
| -rw-r--r-- | hw/scsi/scsi-generic.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c index 3d35d30..92cce20 100644 --- a/hw/scsi/scsi-generic.c +++ b/hw/scsi/scsi-generic.c @@ -791,9 +791,10 @@ static Property scsi_generic_properties[] = { }; static int scsi_generic_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, - uint8_t *buf, void *hba_private) + uint8_t *buf, size_t buf_len, + void *hba_private) { - return scsi_bus_parse_cdb(dev, cmd, buf, hba_private); + return scsi_bus_parse_cdb(dev, cmd, buf, buf_len, hba_private); } static void scsi_generic_class_initfn(ObjectClass *klass, void *data) |