Patchwork [STABLE,05/10] scsi-disk: fix buffer overflow

login
register
mail settings
Submitter Kevin Wolf
Date April 9, 2010, 9:46 a.m.
Message ID <1270806388-28138-6-git-send-email-kwolf@redhat.com>
Download mbox | patch
Permalink /patch/49799/
State New
Headers show

Comments

Kevin Wolf - April 9, 2010, 9:46 a.m.
From: Gerd Hoffmann <kraxel@redhat.com>

In case s->version is shorter than 4 bytes we overflow the memcpy src
buffer.  Fix it by clearing the target buffer, then copy only the
amount of bytes we actually have.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from 314b1811c15f4e982e4667d9b845aee4b5a63d91)

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 hw/scsi-disk.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

Patch

diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index b34fbaa..a792012 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -434,7 +434,9 @@  static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
         memcpy(&outbuf[16], "QEMU HARDDISK   ", 16);
     }
     memcpy(&outbuf[8], "QEMU    ", 8);
-    memcpy(&outbuf[32], s->version ? s->version : QEMU_VERSION, 4);
+    memset(&outbuf[32], 0, 4);
+    memcpy(&outbuf[32], s->version ? s->version : QEMU_VERSION,
+           MIN(4, strlen(s->version ? s->version : QEMU_VERSION)));
     /* Identify device as SCSI-3 rev 1.
        Some later commands are also implemented. */
     outbuf[2] = 3;