[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[RFC PATCH v2 4/4] hw/scsi/megasas: Have incorrect cdb return MFI_STAT_A
From: |
Philippe Mathieu-Daudé |
Subject: |
[RFC PATCH v2 4/4] hw/scsi/megasas: Have incorrect cdb return MFI_STAT_ABORT_NOT_POSSIBLE |
Date: |
Tue, 1 Dec 2020 20:10:26 +0100 |
Avoid out-of-bound array access with invalid CDB is provided.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
RFC because no clue how hardware works
---
hw/scsi/megasas.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index f5ad4425b5b..7e7cbb8854b 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -1680,7 +1680,15 @@ static int megasas_handle_scsi(MegasasState *s,
MegasasCmd *cmd,
if (cdb_len > 0) {
len = scsi_cdb_length(cdb);
}
- assert(len > 0 && cdb_len >= len);
+ if (len < 0 || len < cdb_len) {
+ trace_megasas_scsi_invalid_cdb_len(mfi_frame_desc(frame_cmd),
+ is_logical, target_id,
+ lun_id, cdb_len);
+ megasas_write_sense(cmd, SENSE_CODE(INVALID_FIELD));
+ cmd->frame->header.scsi_status = TASK_ABORTED;
+ s->event_count++;
+ return MFI_STAT_ABORT_NOT_POSSIBLE;
+ }
if (is_logical) {
if (target_id >= MFI_MAX_LD || lun_id != 0) {
trace_megasas_scsi_target_not_present(
--
2.26.2
[RFC PATCH v2 4/4] hw/scsi/megasas: Have incorrect cdb return MFI_STAT_ABORT_NOT_POSSIBLE,
Philippe Mathieu-Daudé <=
[PATCH v2 3/4] tests/qtest/fuzz-test: Add test_megasas_cdb_len_zero() reproducer, Philippe Mathieu-Daudé, 2020/12/01