From: Paolo Bonzini <pbonzini@redhat.com>
Date: Sun, 14 Aug 2011 21:05:49 +0000 (-0700)
Subject: scsi: do not overwrite memory on REQUEST SENSE commands with a large buffer
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=8b2a04eeb95212305d3a39170e1c4bc3dbe45e8a;p=osstest%2Fqemu.git

scsi: do not overwrite memory on REQUEST SENSE commands with a large buffer

Other scsi_target_reqops commands were careful about not using r->cmd.xfer
directly, and instead always cap it to a fixed length.  This was not done
for REQUEST SENSE, and this patch fixes it.

Reported-by: Blue Swirl <blauwirbel@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
---

diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
index 559d5a470..c3ce7df6a 100644
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@@ -292,7 +292,8 @@ static int32_t scsi_target_send_command(SCSIRequest *req, uint8_t *buf)
         if (req->cmd.xfer < 4) {
             goto illegal_request;
         }
-        r->len = scsi_device_get_sense(r->req.dev, r->buf, req->cmd.xfer,
+        r->len = scsi_device_get_sense(r->req.dev, r->buf,
+                                       MIN(req->cmd.xfer, sizeof r->buf),
                                        (req->cmd.buf[1] & 1) == 0);
         break;
     default: