diff options
| author | Eric Blake <eblake@redhat.com> | 2021-02-09 09:23:50 -0600 |
|---|---|---|
| committer | Laurent Vivier <laurent@vivier.eu> | 2021-03-09 21:21:54 +0100 |
| commit | e91bae8e98a6438156752dfbe9c0e2494d4b80f6 (patch) | |
| tree | 668216b4d43f0f9ec607e7245773d0927ce446b7 /hw | |
| parent | cba42d61a379bc1c983ddb39d479de3581d2d578 (diff) | |
| download | qemu-e91bae8e98a6438156752dfbe9c0e2494d4b80f6.zip qemu-e91bae8e98a6438156752dfbe9c0e2494d4b80f6.tar.gz qemu-e91bae8e98a6438156752dfbe9c0e2494d4b80f6.tar.bz2 | |
scsi: Silence gcc warning
On Fedora 33, gcc 10.2.1 notes that scsi_cdb_length(buf) can set
len==-1, which in turn overflows g_malloc():
[5/5] Linking target qemu-system-x86_64
In function ‘scsi_disk_new_request_dump’,
inlined from ‘scsi_new_request’ at ../hw/scsi/scsi-disk.c:2608:9:
../hw/scsi/scsi-disk.c:2582:19: warning: argument 1 value ‘18446744073709551612’ exceeds maximum object size 9223372036854775807 [-Walloc-size-larger-than=]
2582 | line_buffer = g_malloc(len * 5 + 1);
| ^
Silence it with a decent assertion, since we only convert a buffer to
bytes when we have a valid cdb length.
Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210209152350.207958-1-eblake@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Diffstat (limited to 'hw')
| -rw-r--r-- | hw/scsi/scsi-disk.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c index bd7103c..2eaea7e 100644 --- a/hw/scsi/scsi-disk.c +++ b/hw/scsi/scsi-disk.c @@ -2565,6 +2565,7 @@ static void scsi_disk_new_request_dump(uint32_t lun, uint32_t tag, uint8_t *buf) int len = scsi_cdb_length(buf); char *line_buffer, *p; + assert(len > 0 && len <= 16); line_buffer = g_malloc(len * 5 + 1); for (i = 0, p = line_buffer; i < len; i++) { |