scsi: do not report bogus overruns for commands in the 0x00-0x1F range

Interpreting cdb[4] == 0 as a request to transfer 256 blocks is only needed for READ_6 and WRITE_6. No other command in that range needs that special-casing, and the resulting overrun breaks scsi-testsuite's attempt to use command 2 as a known-invalid command. Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com>

scsi: do not report bogus overruns for commands in the 0x00-0x1F range
Interpreting cdb[4] == 0 as a request to transfer 256 blocks is only needed for READ_6 and WRITE_6. No other command in that range needs that special-casing, and the resulting overrun breaks scsi-testsuite's attempt to use command 2 as a known-invalid command. Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com>
f62d0594 · Paolo Bonzini · da8365db · f62d0594
隐藏空白更改
内联并排

Showing with 10 addition and 6 deletion

hw/scsi-bus.c hw/scsi-bus.c +10 -6

未找到文件。
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@@ -735,10 +735,6 @@ static int scsi_req_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf)
    case 0:
        cmd->xfer = buf[4];
        cmd->len = 6;
-        /* length 0 means 256 blocks */
-        if (cmd->xfer == 0) {
-            cmd->xfer = 256;
-        }
        break;
    case 1:
    case 2:
@@ -808,18 +804,26 @@ static int scsi_req_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf)
            cmd->xfer = buf[9] | (buf[8] << 8);
        }
        break;
+    case WRITE_6:
+        /* length 0 means 256 blocks */
+        if (cmd->xfer == 0) {
+            cmd->xfer = 256;
+        }
    case WRITE_10:
    case WRITE_VERIFY_10:
-    case WRITE_6:
    case WRITE_12:
    case WRITE_VERIFY_12:
    case WRITE_16:
    case WRITE_VERIFY_16:
        cmd->xfer *= dev->blocksize;
        break;
-    case READ_10:
    case READ_6:
    case READ_REVERSE:
+        /* length 0 means 256 blocks */
+        if (cmd->xfer == 0) {
+            cmd->xfer = 256;
+        }
+    case READ_10:
    case RECOVER_BUFFERED_DATA:
    case READ_12:
    case READ_16: