[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v1] qemu-pr-helper: garbage response structure can b
From: |
Dima Stepanov |
Subject: |
[Qemu-devel] [PATCH v1] qemu-pr-helper: garbage response structure can be used to write data |
Date: |
Fri, 15 Jun 2018 12:11:44 +0300 |
The prh_co_entry() routine handles requests. The first part is to read a
request by calling the prh_read_request() routine, if:
1. scsi_cdb_xfer(req->cdb) call returns 0, and
2. req->cdb[0] == PERSISTENT_RESERVE_IN, then
The resp->result field will be uninitialized. As a result the resp.sz
field will be also uninitialized in the prh_co_entry() function.
The second part is to send the response by calling the
prh_write_response() routine:
1. For the PERSISTENT_RESERVE_IN command, and
2. resp->result == GOOD (previous successful reply or just luck), then
There is a probability that the following assert will not be trigered:
assert(resp->sz <= req->sz && resp->sz <= sizeof(client->data));
As a result some uninitialized response will be sent.
The fix is to initialize the response structure to CHECK_CONDITION and 0
values before calling the prh_read_request() routine.
Signed-off-by: Dima Stepanov <address@hidden>
---
scsi/qemu-pr-helper.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/scsi/qemu-pr-helper.c b/scsi/qemu-pr-helper.c
index d0f8317..85878c2 100644
--- a/scsi/qemu-pr-helper.c
+++ b/scsi/qemu-pr-helper.c
@@ -768,6 +768,8 @@ static void coroutine_fn prh_co_entry(void *opaque)
PRHelperResponse resp;
int sz;
+ resp.result = CHECK_CONDITION;
+ resp.sz = 0;
sz = prh_read_request(client, &req, &resp, &local_err);
if (sz < 0) {
break;
--
2.7.4
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-devel] [PATCH v1] qemu-pr-helper: garbage response structure can be used to write data,
Dima Stepanov <=