scsi-disk: fix buffer overflow

In case s->version is shorter than 4 bytes we overflow the memcpy src buffer. Fix it by clearing the target buffer, then copy only the amount of bytes we actually have. Signed-off-by: N Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: N Anthony Liguori <aliguori@us.ibm.com>

scsi-disk: fix buffer overflow
In case s->version is shorter than 4 bytes we overflow the memcpy src buffer. Fix it by clearing the target buffer, then copy only the amount of bytes we actually have. Signed-off-by: N Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: N Anthony Liguori <aliguori@us.ibm.com>
314b1811 · Gerd Hoffmann · Anthony Liguori · 3a0558b5 · 314b1811
隐藏空白更改
内联并排

Showing with 3 addition and 1 deletion

hw/scsi-disk.c hw/scsi-disk.c +3 -1

未找到文件。
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -460,7 +460,9 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
        memcpy(&outbuf[16], "QEMU HARDDISK   ", 16);
    }
    memcpy(&outbuf[8], "QEMU    ", 8);
-    memcpy(&outbuf[32], s->version ? s->version : QEMU_VERSION, 4);
+    memset(&outbuf[32], 0, 4);
+    memcpy(&outbuf[32], s->version ? s->version : QEMU_VERSION,
+           MIN(4, strlen(s->version ? s->version : QEMU_VERSION)));
    /*
     * We claim conformance to SPC-3, which is required for guests
     * to ask for modern features like READ CAPACITY(16) or the