diff options
author | Asias He <asias@redhat.com> | 2013-10-09 15:41:03 +0800 |
---|---|---|
committer | Paolo Bonzini <pbonzini@redhat.com> | 2013-10-09 17:24:18 +0200 |
commit | 846424350b292f16b732b573273a5c1f195cd7a3 (patch) | |
tree | 0a25400c33e0c31eac0c451debea9ec630357168 /include/hw/scsi | |
parent | 24c7608a5d973e5d562715998e9887f74deac794 (diff) |
scsi: Allocate SCSITargetReq r->buf dynamically [CVE-2013-4344]
r->buf is hardcoded to 2056 which is (256 + 1) * 8, allowing 256 luns at
most. If more than 256 luns are specified by user, we have buffer
overflow in scsi_target_emulate_report_luns.
To fix, we allocate the buffer dynamically.
Signed-off-by: Asias He <asias@redhat.com>
Tested-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'include/hw/scsi')
-rw-r--r-- | include/hw/scsi/scsi.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/include/hw/scsi/scsi.h b/include/hw/scsi/scsi.h index 1b6651054a..76f6ac24a7 100644 --- a/include/hw/scsi/scsi.h +++ b/include/hw/scsi/scsi.h @@ -9,6 +9,8 @@ #define MAX_SCSI_DEVS 255 #define SCSI_CMD_BUF_SIZE 16 +#define SCSI_SENSE_LEN 18 +#define SCSI_INQUIRY_LEN 36 typedef struct SCSIBus SCSIBus; typedef struct SCSIBusInfo SCSIBusInfo; |