diff options
author | Asias He <asias@redhat.com> | 2013-10-09 15:41:03 +0800 |
---|---|---|
committer | Paolo Bonzini <pbonzini@redhat.com> | 2013-10-09 17:24:18 +0200 |
commit | 846424350b292f16b732b573273a5c1f195cd7a3 (patch) | |
tree | 0a25400c33e0c31eac0c451debea9ec630357168 /hw/input/ps2.c | |
parent | 24c7608a5d973e5d562715998e9887f74deac794 (diff) |
scsi: Allocate SCSITargetReq r->buf dynamically [CVE-2013-4344]
r->buf is hardcoded to 2056 which is (256 + 1) * 8, allowing 256 luns at
most. If more than 256 luns are specified by user, we have buffer
overflow in scsi_target_emulate_report_luns.
To fix, we allocate the buffer dynamically.
Signed-off-by: Asias He <asias@redhat.com>
Tested-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'hw/input/ps2.c')
0 files changed, 0 insertions, 0 deletions