proxmox-mirrors/qemu
1
0
Fork 0
mirror of https://git.proxmox.com/git/qemu synced 2025-08-07 18:57:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

scsi: prevent data transfer overflow

Browse Source 
Avoid sending more than 2GB of data, as that can cause overflows
in int32_t variables.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
Paolo Bonzini 2012-02-08 11:49:43 +01:00
parent fa6acb0c2f
commit 12a08998fe
1 changed files with 25 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
hw/scsi-bus.c
View File

@ -239,6 +239,18 @@ int scsi_bus_legacy_handle_cmdline(SCSIBus *bus)
return res; return res;
} }
static int32_t scsi_invalid_field(SCSIRequest *req, uint8_t *buf)
{
scsi_req_build_sense(req, SENSE_CODE(INVALID_FIELD));
scsi_req_complete(req, CHECK_CONDITION);
return 0;
}
static const struct SCSIReqOps reqops_invalid_field = {
.size = sizeof(SCSIRequest),
.send_command = scsi_invalid_field
};
/* SCSIReqOps implementation for invalid commands. */ /* SCSIReqOps implementation for invalid commands. */
static int32_t scsi_invalid_command(SCSIRequest *req, uint8_t *buf) static int32_t scsi_invalid_command(SCSIRequest *req, uint8_t *buf)
@ -517,7 +529,9 @@ SCSIRequest *scsi_req_new(SCSIDevice *d, uint32_t tag, uint32_t lun,
cmd.lba); cmd.lba);
} }
if ((d->unit_attention.key == UNIT_ATTENTION || if (cmd.xfer > INT32_MAX) {
req = scsi_req_alloc(&reqops_invalid_field, d, tag, lun, hba_private);
} else if ((d->unit_attention.key == UNIT_ATTENTION ||
bus->unit_attention.key == UNIT_ATTENTION) && bus->unit_attention.key == UNIT_ATTENTION) &&
(buf[0] != INQUIRY && (buf[0] != INQUIRY &&
buf[0] != REPORT_LUNS && buf[0] != REPORT_LUNS &&