From e91bae8e98a6438156752dfbe9c0e2494d4b80f6 Mon Sep 17 00:00:00 2001 From: Eric Blake Date: Tue, 9 Feb 2021 09:23:50 -0600 Subject: [PATCH] scsi: Silence gcc warning MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit On Fedora 33, gcc 10.2.1 notes that scsi_cdb_length(buf) can set len==-1, which in turn overflows g_malloc(): [5/5] Linking target qemu-system-x86_64 In function ‘scsi_disk_new_request_dump’, inlined from ‘scsi_new_request’ at ../hw/scsi/scsi-disk.c:2608:9: ../hw/scsi/scsi-disk.c:2582:19: warning: argument 1 value ‘18446744073709551612’ exceeds maximum object size 9223372036854775807 [-Walloc-size-larger-than=] 2582 | line_buffer = g_malloc(len * 5 + 1); | ^ Silence it with a decent assertion, since we only convert a buffer to bytes when we have a valid cdb length. Signed-off-by: Eric Blake Reviewed-by: Philippe Mathieu-Daudé Message-Id: <20210209152350.207958-1-eblake@redhat.com> Signed-off-by: Laurent Vivier --- hw/scsi/scsi-disk.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c index bd7103cd0e..2eaea7e637 100644 --- a/hw/scsi/scsi-disk.c +++ b/hw/scsi/scsi-disk.c @@ -2565,6 +2565,7 @@ static void scsi_disk_new_request_dump(uint32_t lun, uint32_t tag, uint8_t *buf) int len = scsi_cdb_length(buf); char *line_buffer, *p; + assert(len > 0 && len <= 16); line_buffer = g_malloc(len * 5 + 1); for (i = 0, p = line_buffer; i < len; i++) { -- 2.11.4.GIT