[Qemu-devel] [PATCH] scsi: do not overwrite memory on REQUEST SENSE commands with a large buffer

[Paolo Bonzini]

Other scsi_target_reqops commands were careful about not using r->cmd.xfer
directly, and instead always cap it to a fixed length.  This was not done
for REQUEST SENSE, and this patch fixes it.

Reported-by: Blue Swirl <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
        The way you called REQUEST SENSE from OpenBIOS is correct, the
        bug is clearly in QEMU.  However, I would like to stress that
        you do not need to call it.  Sense data is automatically
        overwritten by the next command, but it is only reported after
        a command returned CHECK CONDITION.  So, REQUEST SENSE always
        gets you information too late.  That's why in your case what
        you want is TEST UNIT READY.  If you want, after each failed
        TEST UNIT READY command you _can_ REQUEST SENSE and check that
        indeed you're getting a unit attention and not another sense
        key, but that's not really necessary.

 hw/scsi-bus.c            |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
index 559d5a4..80d6bf0 100644
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@@ -292,7 +292,8 @@ static int32_t scsi_target_send_command(SCSIRequest *req, 
uint8_t *buf)
         if (req->cmd.xfer < 4) {
             goto illegal_request;
         }
-        r->len = scsi_device_get_sense(r->req.dev, r->buf, req->cmd.xfer,
+        r->len = scsi_device_get_sense(r->req.dev, r->buf,
+                                       MIN(req->cmd.xfer, sizeof r->buf),
                                        (req->cmd.buf[1] & 1) == 0);
         break;
     default:
-- 
1.7.6