scsi: do not overwrite memory on REQUEST SENSE commands with a large buffer

Other scsi_target_reqops commands were careful about not using r->cmd.xfer directly, and instead always cap it to a fixed length. This was not done for REQUEST SENSE, and this patch fixes it. Reported-by: N Blue Swirl <blauwirbel@gmail.com> Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: N Blue Swirl <blauwirbel@gmail.com>

scsi: do not overwrite memory on REQUEST SENSE commands with a large buffer
Other scsi_target_reqops commands were careful about not using r->cmd.xfer directly, and instead always cap it to a fixed length. This was not done for REQUEST SENSE, and this patch fixes it. Reported-by: N Blue Swirl <blauwirbel@gmail.com> Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: N Blue Swirl <blauwirbel@gmail.com>
8b2a04ee · Paolo Bonzini · Blue Swirl · 3b6ffe50 · 8b2a04ee
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

hw/scsi-bus.c hw/scsi-bus.c +2 -1

未找到文件。
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@@ -292,7 +292,8 @@ static int32_t scsi_target_send_command(SCSIRequest *req, uint8_t *buf)
        if (req->cmd.xfer < 4) {
            goto illegal_request;
        }
-        r->len = scsi_device_get_sense(r->req.dev, r->buf, req->cmd.xfer,
+        r->len = scsi_device_get_sense(r->req.dev, r->buf,
+                                       MIN(req->cmd.xfer, sizeof r->buf),
                                       (req->cmd.buf[1] & 1) == 0);
        break;
    default: