scsi: do not overwrite memory on REQUEST SENSE commands with a large buffer

Other scsi_target_reqops commands were careful about not using r->cmd.xfer directly, and instead always cap it to a fixed length. This was not done for REQUEST SENSE, and this patch fixes it. Reported-by: Blue Swirl <blauwirbel@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2011-08-14 14:05:49 -07:00 · 2011-08-14 14:05:49 -07:00 · 8b2a04eeb9
parent 3b6ffe5030
commit 8b2a04eeb9
1 changed files with 2 additions and 1 deletions
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@ -292,7 +292,8 @@ static int32_t scsi_target_send_command(SCSIRequest *req, uint8_t *buf)
        if (req->cmd.xfer < 4) {
            goto illegal_request;
        }
-        r->len = scsi_device_get_sense(r->req.dev, r->buf, req->cmd.xfer,
+        r->len = scsi_device_get_sense(r->req.dev, r->buf,
+                                       MIN(req->cmd.xfer, sizeof r->buf),
                                       (req->cmd.buf[1] & 1) == 0);
        break;
    default: