diff options
author | Laszlo Ersek <lersek@redhat.com> | 2013-11-02 20:14:21 +0100 |
---|---|---|
committer | Michael Roth <mdroth@linux.vnet.ibm.com> | 2013-12-09 14:49:49 -0600 |
commit | 192d2f4cc7931668d4e4f10e882af3c097193c47 (patch) | |
tree | a03e4072035e31d30eaca59415de7e1b39083023 /hmp-commands.hx | |
parent | 9388fdb603e69d1c251f9bdfaac575ad3258583a (diff) |
scsi_target_send_command(): amend stable-1.6 port of the CVE-2013-4344 fix
The originally suggested fix for CVE-2013-4344 introduced a regression in
scsi_target_send_command() / REQUEST_SENSE; the third argument passed to
scsi_device_get_sense() -- for the "len" parameter -- ignored the
possibility of the guest SCSI driver requesting truncated (or shorter than
full) sense data.
This could result in (r->len > req->cmd.xfer) on return, which is not
valid SCSI.
The problem was addressed in the second round, and the commit on the
master branch (84642435) is correct. However the stable-1.6 branch (the
v1.6.1 release) has the original, regressive fix (commit fdcbe7d5); let's
update it.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Diffstat (limited to 'hmp-commands.hx')
0 files changed, 0 insertions, 0 deletions