From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:47600) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RpbdF-0003Hx-Fn for qemu-devel@nongnu.org; Tue, 24 Jan 2012 03:21:38 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Rpbd9-0006LX-WF for qemu-devel@nongnu.org; Tue, 24 Jan 2012 03:21:33 -0500 Sender: Paolo Bonzini Message-ID: <4F1E69F3.4040406@redhat.com> Date: Tue, 24 Jan 2012 09:21:07 +0100 From: Paolo Bonzini MIME-Version: 1.0 References: <20120123171525.GM32632@akamai.com> <4F1D9D4A.3000104@redhat.com> <20120123181426.GA14494@akamai.com> In-Reply-To: <20120123181426.GA14494@akamai.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH] scsi: restrict buffer length to req->cmd.xfer for responses to INQUIRY commands. List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Thomas Higdon Cc: qemu-trivial , Kevin Wolf , qemu-devel , Paul Brook On 01/23/2012 07:14 PM, Thomas Higdon wrote: > > Can you please also do the same REPORT LUNS and INQUIRY in hw/scsi-bus.c? > > You're talking about the scsi_target_emulate_report_luns() and > scsi_target_emulate_inquiry() functions in hw/scsi-bus.c? By my read of > the code, these appear safe. In both functions, I see len getting set > via calls to MIN with r->req->cmd.xfer as one of the arguments. If > you're referring to something else, can you be more specific? Ugh, you're right, sorry. I just looked for if.*xfer. Paolo