Commit 57dbb58d authored by Paolo Bonzini's avatar Paolo Bonzini
Browse files

scsi-generic: avoid out-of-bounds access to VPD page list 



A device can report an excessive number of VPD pages when asked for a
list; this can cause an out-of-bounds access to buf in
scsi_generic_set_vpd_bl_emulation.  It should not happen, but
it is technically not incorrect so handle it: do not check any byte
past the allocation length that was sent to the INQUIRY command.

Reported-by: default avatarMax Reitz <mreitz@redhat.com>
Reviewed-by: default avatarMax Reitz <mreitz@redhat.com>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
parent 6c219fc8

hw/scsi/scsi-generic.c

+1 −1
Original line number Diff line number Diff line
@@ -538,7 +538,7 @@ static void scsi_generic_set_vpd_bl_emulation(SCSIDevice *s) 
    }



    page_len = buf[3];

    for (i = 4; i < page_len + 4; i++) {

    for (i = 4; i < MIN(sizeof(buf), page_len + 4); i++) {

        if (buf[i] == 0xb0) {

            s->needs_vpd_bl_emulation = false;

            return;