aboutsummaryrefslogtreecommitdiff
path: root/include/hw/scsi
diff options
context:
space:
mode:
authorAsias He <asias@redhat.com>2013-10-09 15:41:03 +0800
committerPaolo Bonzini <pbonzini@redhat.com>2013-10-09 17:24:18 +0200
commit846424350b292f16b732b573273a5c1f195cd7a3 (patch)
tree0a25400c33e0c31eac0c451debea9ec630357168 /include/hw/scsi
parent24c7608a5d973e5d562715998e9887f74deac794 (diff)
scsi: Allocate SCSITargetReq r->buf dynamically [CVE-2013-4344]
r->buf is hardcoded to 2056 which is (256 + 1) * 8, allowing 256 luns at most. If more than 256 luns are specified by user, we have buffer overflow in scsi_target_emulate_report_luns. To fix, we allocate the buffer dynamically. Signed-off-by: Asias He <asias@redhat.com> Tested-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'include/hw/scsi')
-rw-r--r--include/hw/scsi/scsi.h2
1 files changed, 2 insertions, 0 deletions
diff --git a/include/hw/scsi/scsi.h b/include/hw/scsi/scsi.h
index 1b6651054a..76f6ac24a7 100644
--- a/include/hw/scsi/scsi.h
+++ b/include/hw/scsi/scsi.h
@@ -9,6 +9,8 @@
#define MAX_SCSI_DEVS 255
#define SCSI_CMD_BUF_SIZE 16
+#define SCSI_SENSE_LEN 18
+#define SCSI_INQUIRY_LEN 36
typedef struct SCSIBus SCSIBus;
typedef struct SCSIBusInfo SCSIBusInfo;