proxmox-mirrors/qemu
1
0
Fork 0
mirror of https://git.proxmox.com/git/qemu synced 2025-08-07 14:59:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

scsi: prevent data transfer overflow

Browse Source 
Avoid sending more than 2GB of data, as that can cause overflows
in int32_t variables.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
Paolo Bonzini 2012-02-08 11:49:43 +01:00
parent fa6acb0c2f
commit 12a08998fe
1 changed files with 25 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
hw/scsi-bus.c
View File

@ -239,6 +239,18 @@ int scsi_bus_legacy_handle_cmdline(SCSIBus *bus)
return res; return res;
} }
static int32_t scsi_invalid_field(SCSIRequest *req, uint8_t *buf)
{
scsi_req_build_sense(req, SENSE_CODE(INVALID_FIELD));
scsi_req_complete(req, CHECK_CONDITION);
return 0;
}
static const struct SCSIReqOps reqops_invalid_field = {
.size = sizeof(SCSIRequest),
.send_command = scsi_invalid_field
};
/* SCSIReqOps implementation for invalid commands. */ /* SCSIReqOps implementation for invalid commands. */
static int32_t scsi_invalid_command(SCSIRequest *req, uint8_t *buf) static int32_t scsi_invalid_command(SCSIRequest *req, uint8_t *buf)
@ -517,18 +529,20 @@ SCSIRequest *scsi_req_new(SCSIDevice *d, uint32_t tag, uint32_t lun,
cmd.lba); cmd.lba);
} }
if ((d->unit_attention.key == UNIT_ATTENTION || if (cmd.xfer > INT32_MAX) {
bus->unit_attention.key == UNIT_ATTENTION) && req = scsi_req_alloc(&reqops_invalid_field, d, tag, lun, hba_private);
(buf[0] != INQUIRY && } else if ((d->unit_attention.key == UNIT_ATTENTION ||
buf[0] != REPORT_LUNS && bus->unit_attention.key == UNIT_ATTENTION) &&
buf[0] != GET_CONFIGURATION && (buf[0] != INQUIRY &&
buf[0] != GET_EVENT_STATUS_NOTIFICATION && buf[0] != REPORT_LUNS &&
buf[0] != GET_CONFIGURATION &&
buf[0] != GET_EVENT_STATUS_NOTIFICATION &&
/* /*
* If we already have a pending unit attention condition, * If we already have a pending unit attention condition,
* report this one before triggering another one. * report this one before triggering another one.
*/ */
!(buf[0] == REQUEST_SENSE && d->sense_is_ua))) { !(buf[0] == REQUEST_SENSE && d->sense_is_ua))) {
req = scsi_req_alloc(&reqops_unit_attention, d, tag, lun, req = scsi_req_alloc(&reqops_unit_attention, d, tag, lun,
hba_private); hba_private);
} else if (lun != d->lun || } else if (lun != d->lun ||