]> git.proxmox.com Git - qemu.git/commit
projects / qemu.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 24c7608) | patch
scsi: Allocate SCSITargetReq r->buf dynamically [CVE-2013-4344]
authorAsias He <asias@redhat.com>
Wed, 9 Oct 2013 07:41:03 +0000 (15:41 +0800)
committerPaolo Bonzini <pbonzini@redhat.com>
Wed, 9 Oct 2013 15:24:18 +0000 (17:24 +0200)
commit846424350b292f16b732b573273a5c1f195cd7a3
tree0a25400c33e0c31eac0c451debea9ec630357168tree
parent24c7608a5d973e5d562715998e9887f74deac794commit | diff
scsi: Allocate SCSITargetReq r->buf dynamically [CVE-2013-4344]

r->buf is hardcoded to 2056 which is (256 + 1) * 8, allowing 256 luns at
most. If more than 256 luns are specified by user, we have buffer
overflow in scsi_target_emulate_report_luns.

To fix, we allocate the buffer dynamically.

Signed-off-by: Asias He <asias@redhat.com>
Tested-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
hw/scsi/scsi-bus.c diff | blob | blame | history
include/hw/scsi/scsi.h diff | blob | blame | history
Qemu copy for testing