|
From: | Daniel Henrique Barboza |
Subject: | Re: [Qemu-devel] [PATCH 2/4] scsi-generic: avoid out-of-bounds access to VPD page list |
Date: | Tue, 6 Nov 2018 13:40:30 -0200 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 |
On 10/29/18 2:34 PM, Paolo Bonzini wrote:
A device can report an excessive number of VPD pages when asked for a list; this can cause an out-of-bounds access to buf in scsi_generic_set_vpd_bl_emulation. It should not happen, but it is technically not incorrect so handle it: do not check any byte past the allocation length that was sent to the INQUIRY command. Reported-by: Max Reitz <address@hidden> Signed-off-by: Paolo Bonzini <address@hidden> ---
Reviewed-by: Daniel Henrique Barboza <address@hidden>
hw/scsi/scsi-generic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c index aebb7cdd82..c5497bbea8 100644 --- a/hw/scsi/scsi-generic.c +++ b/hw/scsi/scsi-generic.c @@ -538,7 +538,7 @@ static void scsi_generic_set_vpd_bl_emulation(SCSIDevice *s) }page_len = buf[3];- for (i = 4; i < page_len + 4; i++) { + for (i = 4; i < MIN(sizeof(buf), page_len + 4); i++) { if (buf[i] == 0xb0) { s->needs_vpd_bl_emulation = false; return;
[Prev in Thread] | Current Thread | [Next in Thread] |