From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:47080) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SQLNE-0003be-4u for qemu-devel@nongnu.org; Fri, 04 May 2012 12:28:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SQLNA-0004Yi-Ms for qemu-devel@nongnu.org; Fri, 04 May 2012 12:28:51 -0400 Received: from v220110690675601.yourvserver.net ([78.47.199.172]:42695) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SQLNA-0004WG-DE for qemu-devel@nongnu.org; Fri, 04 May 2012 12:28:48 -0400 Message-ID: <4FA403BD.2050309@weilnetz.de> Date: Fri, 04 May 2012 18:28:45 +0200 From: Stefan Weil MIME-Version: 1.0 References: <1336121154-26517-1-git-send-email-pbonzini@redhat.com> <1336121154-26517-3-git-send-email-pbonzini@redhat.com> In-Reply-To: <1336121154-26517-3-git-send-email-pbonzini@redhat.com> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH 02/14] scsi: prevent data transfer overflow List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Paolo Bonzini Cc: qemu-devel@nongnu.org Am 04.05.2012 10:45, schrieb Paolo Bonzini: > Avoid sending more than 2GB of data, as that can cause overflows > in int32_t variables. > > Signed-off-by: Paolo Bonzini > --- > hw/scsi-bus.c | 38 ++++++++++++++++++++++++++------------ > 1 file changed, 26 insertions(+), 12 deletions(-) > > diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c > index dbdb99c..c29a4ae 100644 > --- a/hw/scsi-bus.c > +++ b/hw/scsi-bus.c > @@ -239,6 +239,18 @@ int scsi_bus_legacy_handle_cmdline(SCSIBus *bus) > return res; > } > > +static int32_t scsi_invalid_field(SCSIRequest *req, uint8_t *buf) > +{ > + scsi_req_build_sense(req, SENSE_CODE(INVALID_FIELD)); > + scsi_req_complete(req, CHECK_CONDITION); > + return 0; > +} > + > +static const struct SCSIReqOps reqops_invalid_field = { > + .size = sizeof(SCSIRequest), > + .send_command = scsi_invalid_field > +}; > + > /* SCSIReqOps implementation for invalid commands. */ > > static int32_t scsi_invalid_command(SCSIRequest *req, uint8_t *buf) > @@ -517,18 +529,20 @@ SCSIRequest *scsi_req_new(SCSIDevice *d, uint32_t tag, uint32_t lun, > cmd.lba); > } > > - if ((d->unit_attention.key == UNIT_ATTENTION || > - bus->unit_attention.key == UNIT_ATTENTION)&& > - (buf[0] != INQUIRY&& > - buf[0] != REPORT_LUNS&& > - buf[0] != GET_CONFIGURATION&& > - buf[0] != GET_EVENT_STATUS_NOTIFICATION&& > - > - /* > - * If we already have a pending unit attention condition, > - * report this one before triggering another one. > - */ > - !(buf[0] == REQUEST_SENSE&& d->sense_is_ua))) { > + if (cmd.xfer> INT32_MAX) { > + req = scsi_req_alloc(&reqops_invalid_field, d, tag, lun, hba_private); WARNING: line over 80 characters #54: FILE: hw/scsi-bus.c:533: + req = scsi_req_alloc(&reqops_invalid_field, d, tag, lun, hba_private); total: 0 errors, 1 warnings, 50 lines checked 0002-scsi-prevent-data-transfer-overflow.patch has style problems, please review. If any of these errors are false positives report them to the maintainer, see CHECKPATCH in MAINTAINERS. > + } else if ((d->unit_attention.key == UNIT_ATTENTION || > + bus->unit_attention.key == UNIT_ATTENTION)&& > + (buf[0] != INQUIRY&& > + buf[0] != REPORT_LUNS&& > + buf[0] != GET_CONFIGURATION&& > + buf[0] != GET_EVENT_STATUS_NOTIFICATION&& > + > + /* > + * If we already have a pending unit attention condition, > + * report this one before triggering another one. > + */ > + !(buf[0] == REQUEST_SENSE&& d->sense_is_ua))) { > req = scsi_req_alloc(&reqops_unit_attention, d, tag, lun, > hba_private); > } else if (lun != d->lun ||