From 846424350b292f16b732b573273a5c1f195cd7a3 Mon Sep 17 00:00:00 2001 From: Asias He Date: Wed, 9 Oct 2013 15:41:03 +0800 Subject: scsi: Allocate SCSITargetReq r->buf dynamically [CVE-2013-4344] r->buf is hardcoded to 2056 which is (256 + 1) * 8, allowing 256 luns at most. If more than 256 luns are specified by user, we have buffer overflow in scsi_target_emulate_report_luns. To fix, we allocate the buffer dynamically. Signed-off-by: Asias He Tested-by: Michael Roth Signed-off-by: Paolo Bonzini --- include/hw/scsi/scsi.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'include') diff --git a/include/hw/scsi/scsi.h b/include/hw/scsi/scsi.h index 1b6651054a..76f6ac24a7 100644 --- a/include/hw/scsi/scsi.h +++ b/include/hw/scsi/scsi.h @@ -9,6 +9,8 @@ #define MAX_SCSI_DEVS 255 #define SCSI_CMD_BUF_SIZE 16 +#define SCSI_SENSE_LEN 18 +#define SCSI_INQUIRY_LEN 36 typedef struct SCSIBus SCSIBus; typedef struct SCSIBusInfo SCSIBusInfo; -- cgit v1.2.3