OpenE2K/qemu-e2k
13
4
Fork 0
Code Issues 4 Pull Requests Projects 2 Releases Activity

scsi-disk: fix buffer overflow

Browse Source 
In case s->version is shorter than 4 bytes we overflow the memcpy src
buffer.  Fix it by clearing the target buffer, then copy only the
amount of bytes we actually have.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
This commit is contained in:
Gerd Hoffmann 2010-03-10 17:47:17 +01:00 committed by Anthony Liguori
parent 3a0558b519
commit 314b1811c1
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
hw/scsi-disk.c
View File

@ -460,7 +460,9 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
memcpy(&outbuf[16], "QEMU HARDDISK ", 16);
}
memcpy(&outbuf[8], "QEMU ", 8);
memcpy(&outbuf[32], s->version ? s->version : QEMU_VERSION, 4);
memset(&outbuf[32], 0, 4);
memcpy(&outbuf[32], s->version ? s->version : QEMU_VERSION,
MIN(4, strlen(s->version ? s->version : QEMU_VERSION)));
/*
* We claim conformance to SPC-3, which is required for guests
* to ask for modern features like READ CAPACITY(16) or the