From 846424350b292f16b732b573273a5c1f195cd7a3 Mon Sep 17 00:00:00 2001
From: Asias He <asias@redhat.com>
Date: Wed, 9 Oct 2013 15:41:03 +0800
Subject: scsi: Allocate SCSITargetReq r->buf dynamically [CVE-2013-4344]

r->buf is hardcoded to 2056 which is (256 + 1) * 8, allowing 256 luns at
most. If more than 256 luns are specified by user, we have buffer
overflow in scsi_target_emulate_report_luns.

To fix, we allocate the buffer dynamically.

Signed-off-by: Asias He <asias@redhat.com>
Tested-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 include/hw/scsi/scsi.h | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'include/hw/scsi')

diff --git a/include/hw/scsi/scsi.h b/include/hw/scsi/scsi.h
index 1b6651054a..76f6ac24a7 100644
--- a/include/hw/scsi/scsi.h
+++ b/include/hw/scsi/scsi.h
@@ -9,6 +9,8 @@
 #define MAX_SCSI_DEVS	255
 
 #define SCSI_CMD_BUF_SIZE     16
+#define SCSI_SENSE_LEN      18
+#define SCSI_INQUIRY_LEN    36
 
 typedef struct SCSIBus SCSIBus;
 typedef struct SCSIBusInfo SCSIBusInfo;
-- 
cgit v1.2.3