| commit | 13a5490536c5c260ad158d5b9672daebcd1d85d5 | |
| author | Philippe Mathieu-Daudé <philmd@redhat.com> | |
| Thu, 5 Mar 2020 12:12:52 +0000 (5 13:12 +0100) | ||
| committer | David Gibson <david@gibson.dropbear.id.au> | |
| Tue, 17 Mar 2020 04:08:50 +0000 (17 15:08 +1100) | ||
| tree | e56917f15045a9356aa437d94d980ffb2bf2699e | treesnapshot (tar.gz zip) |
| parent | ff78b728f6c9d2c274dab20114bfe052322365a1 | commitdiff |
hw/scsi/spapr_vscsi: Prevent buffer overflow
Depending on the length of sense data, vscsi_send_rsp() can
overrun the buffer size.
Do not copy more than SRP_MAX_IU_DATA_LEN bytes, and assert
that vscsi_send_iu() is always called with a size in range.
Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20200305121253.19078-7-philmd@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Depending on the length of sense data, vscsi_send_rsp() can
overrun the buffer size.
Do not copy more than SRP_MAX_IU_DATA_LEN bytes, and assert
that vscsi_send_iu() is always called with a size in range.
Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20200305121253.19078-7-philmd@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
| hw/scsi/spapr_vscsi.c | diffblobblamehistory |