Commit 8b2a04ee authored by Paolo Bonzini's avatar Paolo Bonzini Committed by Blue Swirl
Browse files

scsi: do not overwrite memory on REQUEST SENSE commands with a large buffer 



Other scsi_target_reqops commands were careful about not using r->cmd.xfer
directly, and instead always cap it to a fixed length.  This was not done
for REQUEST SENSE, and this patch fixes it.

Reported-by: default avatarBlue Swirl <blauwirbel@gmail.com>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: default avatarBlue Swirl <blauwirbel@gmail.com>
parent 3b6ffe50

hw/scsi-bus.c

+2 −1
Original line number Diff line number Diff line
@@ -292,7 +292,8 @@ static int32_t scsi_target_send_command(SCSIRequest *req, uint8_t *buf) 
        if (req->cmd.xfer < 4) {

            goto illegal_request;

        }

        r->len = scsi_device_get_sense(r->req.dev, r->buf, req->cmd.xfer,

        r->len = scsi_device_get_sense(r->req.dev, r->buf,

                                       MIN(req->cmd.xfer, sizeof r->buf),

                                       (req->cmd.buf[1] & 1) == 0);

        break;

    default: